Download to read offline
Uploaded byHitachi, Ltd. OSS Solution Center.
Apache con@home 2021_sha
The document discusses the integration of Apache Camel and Keycloak to create a high-security API management infrastructure. It highlights security vulnerabilities such as minimal access token validation and lack of access management, and suggests enhancements through Keycloak features like token introspection, scope checks, and OAuth MTLS to mitigate these issues. The conclusion emphasizes that while the combined approach can improve security, it is essential to address the identified drawbacks.
More Related Content
Similar to Apache con@home 2021_sha
![[Workshop] API-driven Integration](https://cdn.slidesharecdn.com/ss_thumbnails/workshopapidrivenintegration1-200207075321-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Hitachi, Ltd. OSS Solution Center.
Apache con@home 2021_sha
- 1. © Hitachi, Ltd.2021. All rights reserved. A high-security API management infrastructure using Apache Camel ApacheCon@Home 2021 Hitachi, Ltd. OSS Solution Center 09/21/2021 Yang Xie
- 2. © Hitachi, Ltd.2021. All rights reserved. 1. API management infrastructure using Camel and Keycloak 2. Drawbacks of security 3. Security enhancement with Keycloak Contents 1 4. Conclusion
- 3. 2 © Hitachi, Ltd.2021. All rights reserved. 1. API management infrastructure using Camel and Keycloak
- 4. 3 © Hitachi, Ltd.2021. All rights reserved. 1-1 API management infrastructure using Camel and Keycloak Apache Camel (hereinafter called “Camel“), that is known as a tool of integrating heterogeneous systems, also can be used as an API gateway. By adding Keycloak as an OAuth 2.0 authorization server, we can create an API management infrastructure providing the following functions as the picture shows such as reverse proxy and token issuance/management. API Management Infrastructure JDBC FTP API Server REST(HTTP) REST(HTTP) Mash-up Protocol Conversion Reverse Proxy API Gateway (Camel) Flow Control API Server API Server API Server API Server Access Token REST(HTTP) REST(HTTP) Token Issuance &Management Prometheus&Grafana Authorization Server (Keycloak) Application Access Token Token request Metrics API Documentation
- 5. 4 © Hitachi, Ltd.2021. All rights reserved. 1-2 What is Keycloak? Keycloak is an identity and access management OSS whose community is managed by Red Hat. It can be used as an OAuth 2.0 authorization server. API Server Keycloak Single Sign-On using the most popular standards (Including OAuth 2.0 authorization server) Social Login (Identity Brokering) Identity management and authentication OpenID Connect SAML LDAP Active Directory RDB
- 6. 5 © Hitachi, Ltd.2021. All rights reserved. 2. Drawbacks of security
- 7. 6 © Hitachi, Ltd.2021. All rights reserved. 2-1 Drawbacks of security Although the API management infrastructure can protect itself by using token issuance/management, there are also three drawbacks of its security as the picture shows. All drawbacks will cause API abuse. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Application Access Token Access Token Drawback 1: Only do minimal validations for access token (such as signature and expiration time) Drawback 3: No prevention for access token stealing Drawback 2: No management of user’s access
- 8. 7 © Hitachi, Ltd.2021. All rights reserved. 2-2 Drawback of only do minimal validations for access token An access token can be invalidated before its expiration time. Therefore, if API management infrastructure only does minimal validations such as signature and expiration time, invalid access tokens within their expiration time hasn’t been reached will be considered to be valid, and attackers can use them to access the API. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Invalid Access Token within its expiration time Lucky! I can use an invalid access token to access the API. 200 (OK)
- 9. 8 © Hitachi, Ltd.2021. All rights reserved. 2-3 Drawback of no API access management With no management of API access, anyone can access the API with full authority. You only can request the API used for reading data. But I’ve already overwritten a part of data by an API used for writing data… API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Access Token 200 (OK)
- 10. 9 © Hitachi, Ltd.2021. All rights reserved. 2-4 Drawback of no access token stealing prevention With no prevention for access token stealing, attackers can use the stolen access token to access the API. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Access Token Access Token I can use the stolen access token to access the API. 200 (OK)
- 11. 10 © Hitachi, Ltd.2021. All rights reserved. 3. Security enhancement with Keycloak
- 12. 11 © Hitachi, Ltd.2021. All rights reserved. 3-2 Security enhancement with Keycloak OAuth 2.0 and its related standards defined three mechanisms that can be used for overcoming the drawbacks. They are token introspection, scope check and OAuth MTLS, and all of them are supported by Keycloak. With the support of Keycloak, we can implement the mechanisms by developing Camel application. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Application Access Token Access Token Enhancement for Drawback 3: OAuth MTLS Enhancement for Drawback 1: Token Introspection Enhancement for Drawback 2: Scope Check
- 13. 12 © Hitachi, Ltd.2021. All rights reserved. 3-3 Token introspection Token introspection is a mechanism for validating access token by requesting the token introspection endpoint on authorization server. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) API Server Access Token 2. Validate the access token (=Token introspection) 3. Forward the API request only if access token is valid. Otherwise, deny the request with 401 HTTP status code 1. API request with the access token issued by Keycloak Application
- 14. 13 © Hitachi, Ltd.2021. All rights reserved. 3-4 Support of token introspection in Keycloak Keycloak provides a token introspection endpoint to receive the token introspection request. After receiving the token introspection request, Keycloak inspects the access token with several steps including validate the session linked with the access token. Session is a data structure used in Keycloak for storing user’s login information. Access token is generated from session and every access token is linked with one session. Access token and the linked session have the same value of their validities. Therefore, if the linked session is validated to invalid, the access token also will be validated to invalid even if its expiration time hasn’t been reached. After introspecting the access token, Keycloak returns a token introspection response in JSON format. Authorization Server (Keycloak) Token Introspection Endpoint Access Token Receive token introspection request Return a token introspection response Session Keycloak introspects access token by validating its signature, issuer, expiration time, issued at and linked session
- 15. 14 © Hitachi, Ltd.2021. All rights reserved. 3-5 Development of token introspection in Camel To implement token introspection, we can use HTTP4 component provided by Camel to send the token introspection request and receive the token introspection response. Component is used for communicating with external system. Among them, HTTP4 component is used for communicating with external system by using HTTP protocol. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) API Server Access Token Application HTTP4 Token Introspection Endpoint Access Token
- 16. 15 © Hitachi, Ltd.2021. All rights reserved. 3-6 Effect of token introspection As a result of implementing token introspection, the API request with an invalid access token within its expiration time will be denied with a 401 HTTP status code. That is meaning the drawback 1 is overcome. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server A response with 401 HTTP status code is returned when I use an invalid access token within its expiration time. Enhancement for Drawback 1: Token Introspection 401 (Unauthorized) Invalid Access Token within its expiration time
- 17. 16 © Hitachi, Ltd.2021. All rights reserved. 3-7 Scope check Scope is a mechanism for limiting an application’s access to API. The granted scopes to the application is included in the access token. Checking of scope can be used for managing API access. If the required scope for API request is not included in the scopes linked with access token, the request will be denied. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) API Server Access Token 3. Forward the API request if required scope exists. Otherwise, deny the request with 403 HTTP status code 1. API request with the access token Application 2. Check the scopes linked with access token
- 18. 17 © Hitachi, Ltd.2021. All rights reserved. 3-8 Support of scope in Keycloak Keycloak can bring the scope that required for API into the access token when issues access token. Authorization Server (Keycloak) Application Access Token One or more scopes can be requested by specifying them in request parameter For example, specify “scope=read” in request parameter The scopes requested will be included in access token issued by Keycloak Example: … { "iss": "https://example.hitachi.com/", "aud": "https://app1.hitachi.com/", "sub": “jdoe", "scope": “read", "iat": 1458785796, "exp": 1458872196 } Read scope is included in the access token
- 19. 18 © Hitachi, Ltd.2021. All rights reserved. 3-9 Development of scope check in Camel To implement scope check, we can use processor provided by Camel. Processor is used for treating the message that flowing in Camel. Camel is providing lots kind of processors by default. You can also customize a processor by implement the processor interface. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) API Server Access Token Application Processor Message Access Token … { "iss": "https://example.hitachi.com/", … "scope": “read", … } Extract scopes from access token and check if the required scopes are included
- 20. 19 © Hitachi, Ltd.2021. All rights reserved. 3-10 Effect of scope check As a result of implementing token introspection, the API request without granted authority (scope) will be denied with a 403 HTTP status code. That is meaning the drawback 2 is overcome. You only can request the API that used for reading data. A response with 403 HTTP status code is returned when I request the API used for writing data. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Access Token 403 (Forbidden) Enhancement for Drawback 2: Scope Check
- 21. 20 © Hitachi, Ltd.2021. All rights reserved. 3-11 OAuth MTLS OAuth MTLS is a mechanism for preventing token stealing attacks. It uses client certificate to confirm if the access token is granted to the OAuth client that makes the API request. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) Application API Server 3. API request with access token (Present client certificate) 5. Forward the API request if client certificates are matched. Otherwise, deny the request with 403 HTTP status code 4. Compare the hash value of the client certificate with the hash included in access token 1. Token request (Present client certificate) 2. Issue an access token with a hash of the client certificate Access Token Access Token
- 22. 21 © Hitachi, Ltd.2021. All rights reserved. 3-12 Support of OAuth MTLS in Keycloak Keycloak can calculate the hash value of client certificate and bring it into the access token when issues access token. Authorization Server (Keycloak) Application Access Token Request the access token with application’s client certificate The hash of client certificate will be included in access token as a member called x5t#S256 Example: … { "iss": "https://example.hitachi.com", "aud": "https://app1.hitachi.com" "sub": “jdoe", "iat": 1458785796, "exp": 1458872196, "cnf":{ "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } }
- 23. 22 © Hitachi, Ltd.2021. All rights reserved. 3-13 Development of OAuth MTLS in Camel To implement OAuth MTLS, we also can use processor provided by Camel. API Management Infrastructure Authorization Server (Keycloak) API Gateway (Camel) Application API Server Access Token Processor Message Access Token { … "cnf":{ "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } … } Calculate the hash value of client certificate and compare it with the x5t#S256 value extract from access token
- 24. 23 © Hitachi, Ltd.2021. All rights reserved. 3-14 Effect of OAuth MTLS As a result of implementing OAuth MTLS, the API request with a stolen token will be denied with a 403 HTTP status code. That is meaning the drawback 3 is overcome. API Management Infrastructure API Gateway (Camel) Authorization Server (Keycloak) API Server Access Token Access Token A response with 403 HTTP status code is returned when I use a stolen access token to request the API. 403 (Forbidden)
- 25. 24 © Hitachi, Ltd.2021. All rights reserved. 4. Conclusion
- 26. 25 © Hitachi, Ltd.2021. All rights reserved. 4-1 Conclusion Camel and Keycloak can perform API management infrastructure. Although the API management infrastructure (Camel + Keycloak) can protect itself by using token issuance/management, there are also three drawbacks of its security. With the enhancement with Keycloak, Camel can be developed to overcome the drawbacks.
- 27. 26 © Hitachi, Ltd.2021. All rights reserved. Trademarks Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. Apache and Camel are registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries. OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. GitHub and the GitHub logo are trademarks or registered trademarks of GitHub, Inc. in the United States and other countries. Twitter and the Twitter logo are trademarks or registered trademarks of Twitter, Inc. or its affiliates. Facebook and the Facebook logo are trademarks or registered trademarks of Facebook, Inc. Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
- 28. © Hitachi, Ltd.2021. All rights reserved. Yang Xie 09/21/2021 Hitachi, Ltd. OSS Solution Center END A high-security API management infrastructure using Apache Camel 27