The document discusses various API authentication mechanisms including HTTP basic, digest, TLS mutual authentication, and OAuth versions 1.0 and 2.0. It covers implementation details and examples while also highlighting fine-grained access control strategies such as XACML architecture and User Managed Access (UMA). Additionally, it mentions token introspection and the use of chained APIs for centralized authorization in distributed systems.

1. API
Security
Pa.erns
and
More
Prabath
Siriwardena
Director
of
Security
Architecture
WSO2

2. Direct
Authen,ca,on
• HTTP
Basic
Authentication
• HTTP
Digest
Authentication
• TLS
Mutual
Authentication
• OAuth
1.o
:
Two
Legged
OAuth
• OAuth
2.o
:
Client
Credentials
• NTLM
/
Kerberos

3. HTTP
Basic
Authen,ca,on
curl
-­‐I
-­‐u
$GitHubUserName:GitHubPassword
-­‐X
POST
-­‐H
'Content-­‐Type:
applica,on/x-­‐www-­‐form-­‐urlencoded’
-­‐d
'{"name":
"my_github_repo"}'
hPps://api.github.com/user/repos
§ Creating
a
GitHub
repository

4. HTTP
Digest
Authen,ca,on
curl
-­‐k
–-­‐digest
–u
userName:password
-­‐v
hPps://localhost:8443/recipe
HTTP/1.1
401
Unauthorized
WWW-­‐Authen,cate:
Digest
realm="cute-­‐cupcakes.com",
qop="auth”,
nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",
opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
Authoriza,on:
Digest
username="prabath",
realm="cute-­‐cupcakes.com",
nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",
uri="/recipe",
cnonce="MTM5MDc4",
nc=00000001,
qop="auth",
response="f5bi64ba8596d1b9ad1514702f5a062",
opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

5. HTTP
Basic
vs.
Digest
Authen,ca,on

6. TLS
Mutual
Authen,ca,on
curl
-­‐k
-­‐-­‐cert
client.pem
hPps://localhost:8443/recipe

7. OAuth
1.0
:
Two
Legged
OAuth
POST
/student?name=pavithra
HTTP/1.1
Host:
server.com
Content-­‐Type:
applica,on/x-­‐www-­‐form-­‐urlencoded
Authoriza,on:
OAuth
realm="simple",
oauth_consumer_key="dsdsddDdsdsds
",
oauth_token="
",
oauth_signature_method="HMAC-­‐SHA1",
oauth_,mestamp="1474343201",
oauth_nonce="rerwerweJHKjhkdsjhkhj",
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

8. OAuth
2.0
:
Client
Creden,als
curl
-­‐v
-­‐X
POST
-­‐-­‐basic
-­‐u
588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b
]
-­‐H
"Content-­‐Type:
applica,on/x-­‐www-­‐form-­‐urlencoded;charset=UTF-­‐8”
-­‐d
"client_id=588997174524690&grant_type=client_creden,als"
hPps://graph.facebook.com/oauth/access_token

9. Kerberos
/
NTLM
§ Can
be
implemented
as
OAuth
2.0
grant
types

10. Brokered
Authen,ca,on
§ SAML
2.0
grant
type
for
OAuth
2.0

11. Brokered
Authen,ca,on
§ SAML
2.0
grant
type
for
OAuth
2.0

12. Brokered
Authen,ca,on
§ JWT
grant
type
for
OAuth
2.0

13. Fine-­‐grained
Access
Control

14. Fine-­‐grained
Access
Control
POST
/introspec,on
HTTP/1.1
Accept:
applica,on/x-­‐www-­‐form-­‐urlencoded
Host:
server.example.com
Authoriza,on:
Basic
czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
token=X3241Affw.4233-­‐99JXJ&resource_id=…
{
"ac,ve":
true,
"client_id":"s6BhdRkqt3",
"scope":
"read
write
dolphin",
"sub":
"2309x32kl",
"aud":
hPp://example.org/protected-­‐resource/*
}
§ Token
Introspection

15. Fine-­‐grained
Access
Control
§ XACML
Architecture

16. Fine-­‐grained
Access
Control
§ XACML
Request
<Request>
<A.ributes
Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:oauth-­‐client">
<A.ribute
A.ributeId="urn:oasis:names:tc:xacml:1.0:client:client-­‐id">
<A.ributeValue
DataType="h.p://www.w3.org/2001/XMLSchema#string">32324343434</A.ributeValue>
</A.ribute>
<A.ributes>
<A.ributes
Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:ac,on">
<A.ribute
A.ributeId="urn:oasis:names:tc:xacml:1.0:acUon:acUon-­‐id">
<A.ributeValue
DataType="h.p://www.w3.org/2001/XMLSchema#string">GET</A.ributeValue>
</A.ribute>
</A.ributes>
<A.ributes
Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:scope">
<A.ribute
A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id">
<A.ributeValue
DataType="h.p://www.w3.org/2001/XMLSchema#string">user_acUviUes</A.ributeValue>
</A.ribute>
</A.ributes>
<A.ributes
Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:resource">
<A.ribute
A.ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id">
<A.ributeValue
DataType="h.p://www.w3.org/2001/XMLSchema#string">
h.ps://graph.facebook.com/prabathsiriwardena/acUviUes</A.ributeValue>
</A.ribute>
</A.ributes>
</Request>

17. Fine-­‐grained
Access
Control
§ XACML
Policy
<Policy>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:funcUon:string-­‐equal">
<A.ributeValue
DataType="h.p://www.w3.org/2001/XMLSchema#string">
user_ac,vi,es</A.ributeValue>
<A.ributeDesignator
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:scope"
A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id"
DataType="h.p://www.w3.org/2001/XMLSchema#string"></A.ributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
RuleId="permit_rule"
Effect="Permit">
</Rule>
<Rule
RuleId="deny_rule"
Effect="Deny">
</Rule>
</Policy>

18. Chained
APIs

19. Chained
APIs
POST
/token
HTTP/1.1
Host:
authz.server.net
Content-­‐Type:
applica,on/x-­‐www-­‐form-­‐urlencoded
grant_type=
hPp://oauth.net/grant_type/chain
oauth_token=dsddDLJkuiiuieqjhk238khjh
scope=read
HTTP/1.1
200
OK
Content-­‐Type:
applica,on/json;charset=UTF-­‐8
Cache-­‐Control:
no-­‐store
Pragma:
no-­‐cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"Bearer",
"expires_in":1800,
}

20. Centralized
Authoriza,on
with
Distributed
Resource
Servers

21. User
Managed
Access
(UMA)
• PAT
(Protection
API
Token)
:
Token
issued
to
the
Resource
Server
to
access
the
Protection
API
(Authorization
Server)
with
the
approval
of
the
Resource
Owner.
• AAT
(Authorization
API
Token)
:
Token
issued
to
the
Client
to
access
the
Authorization
API
(Authorization
Server)..
• RPT
(Requesting
Party
Token)
:
Token
issued
to
the
Client
to
access
the
Protected
Resource
on
behalf
of
the
Requesting
Party
by
the
Authorization
Server.

22. Thank
You