Learn with WSO2 - API Security


Published on

Published in: Technology
  • Be the first to comment

Learn with WSO2 - API Security

  1. 1. Prabath Siriwardena
  2. 2. •  Exposing  business  functionality  to  the  rest  of  the  world.   •  Private  APIs  vs.  Public  APIs   •  Securing,  Throttling,  Monitoring,  Monetizing  
  3. 3. •  XML  over  HTTP   •  JSON  over  HTTP   •  SOAP  over  HTTP    
  4. 4. •  Basic  Authentication   •  Mutual  Authentication   •  Custom  Authentication  Schemes  (e.g.  AWS)   •  What’s  wrong  ?    
  5. 5. Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  6. 6. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  7. 7. Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  8. 8. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  9. 9. Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
  10. 10. •  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.   •  Not  a  framework  
  11. 11. •  An  entity  capable  of  granting  access  to  a  protected   resource.     •  When  the  resource  owner  is  a  person,  it  is  referred  to  as   an  end-­‐user.  
  12. 12. •  The  server  hosting  the  protected  resources,  capable  of   accepting  and  responding  to  protected  resource  requests   using  access  tokens.  
  13. 13. •  An  application  making  protected  resource  requests  on   behalf  of  the  resource  owner  and  with  its  authorization  
  14. 14. •  The  server  issuing  access  tokens  to  the  client  after   successfully  authenticating  the  resource  owner  and   obtaining  authorization  
  15. 15. Authorization  Code   Implicit   Resource  Owner  Password  Credentials   Client  Credentials  
  16. 16. OAuth  Handshake   Scope  
  17. 17. OAuth  Handshake   Scope   Scope  is  defined  by  the  Authorization  Server.     Scope  indicates  what  resource  client  wants  access  and  which   actions  he  wants  to  perform  on  that.     The  value  of  the  scope  parameter  is  expressed  as  a  list  of   space-­‐delimited,  case  sensitive  strings.         The  strings  are  defined  by  the  authorization  server.    
  18. 18. Confidential  Client  Type     Web  Application   OAuth  Handshake  
  19. 19. Client  Authenticates  to  AuthZ  Server   BasicAuth   client_id  /  client_secret   OAuth  Handshake  
  20. 20. Authorization  Grant  Request   OAuth  Handshake   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  "code".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.  
  21. 21. Authorization  Grant  Response   OAuth  Handshake   •   code:  REQUIRED.  The  authorization  code  generated  by  the  authorization  server   •   state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request.  
  22. 22. Access  Token  Request   OAuth  Handshake   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  "authorization_code".   •  code  :  REQUIRED.    The  authorization  code  received  from  the  Authorization  Server.   •  redirect_uri  :  REQUIRED,  if  the  "redirect_uri"  parameter  was  included  in  the   authorization    
  23. 23. Access  Token  Response   OAuth  Handshake   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token  
  24. 24. OAuth  Handshake   Scope  
  25. 25. Public  Client  Type     User  Agent  based  Application   OAuth  Handshake  
  26. 26. Anonymous  Clients   OAuth  Handshake  
  27. 27. OAuth  Handshake   Authorization  Grant  Request   •   response_type  :  REQUIRED.    Value  MUST  be  set  to  ”token".   •   client_id  :  REQUIRED.    The  client  identifier.   •   redirect_uri  :  OPTIONAL.    Where  to  be  redirected  by  the  Authorization  Server.   •   scope  :  OPTIONAL.    The  scope  of  the  access  request.   •   state  :  RECOMMENDED.    An  opaque  value  used  by  the  client  to  maintain  state   between  the  request  and  callback.  
  28. 28. Access  Token  Response   OAuth  Handshake   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token   •  scope  :    OPTIONAL,  if  identical  to  the  scope  requested  by  the  client,  otherwise   REQUIRED.   •  state  :  REQUIRED  if  the  "state"  parameter  was  present  in  the  client  authorization   request  
  29. 29. OAuth  Handshake   Scope  
  30. 30. Confidential  Client  Type     OAuth  Handshake  
  31. 31. BasicAuth   OAuth  Handshake  
  32. 32. OAuth  Handshake   Authorization  Grant  Request   Since  the  client  authentication  is  used  as  the  authorization  grant,  no  additional   authorization  request  is  needed.    
  33. 33. OAuth  Handshake   Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  scope:  OPTIONAL.    The  scope  of  the  access  request.   Note  :  The  client  needs  to  pass  BasicAuth  headers  or  authenticate  to  the  Authorization   Server  in  other  means.    
  34. 34. Access  Token  Response   OAuth  Handshake   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token  
  35. 35. OAuth  Handshake   Scope  
  36. 36. Confidential  Client  Type     OAuth  Handshake  
  37. 37. BasicAuth   OAuth  Handshake  
  38. 38. OAuth  Handshake   Authorization  Grant  Request   The  method  through  which  the  client  obtains  the  resource  owner        credentials  is  beyond  the  scope  of  this  specification.    The  client        MUST  discard  the  credentials  once  an  access  token  has  been  obtained  
  39. 39. OAuth  Handshake   Access  Token  Request   •  grant_type  :  REQUIRED.    Value  MUST  be  set  to  ”client_credentials".   •  username  :  REQUIRED.    The  resource  owner  username,  encoded  as  UTF-­‐8.   •  password  :  REQUIRED.    The  resource  owner  password,  encoded  as  UTF-­‐8.   •  scope:  OPTIONAL.    The  scope  of  the  access  request.  
  40. 40. Access  Token  Response   OAuth  Handshake   •  access_token  :  REQUIRED.    The  access  token  issued  by  the  authorization  server.   •  token_type  :  REQUIRED.    The  type  of  the    token.  Value  is  case  insensitive.   •  expires_in  :  RECOMMENDED.    The  lifetime  in  seconds  of  the  access  token  
  41. 41. Runtime  
  42. 42. Runtime   Bearer   MAC  
  43. 43. Runtime   Bearer   MAC   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Bearer  
  44. 44. Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   Runtime   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20  
  45. 45. Runtime   Bearer   MAC   HTTP  MAC  access  authentication  scheme   MAC  
  46. 46. Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                                                                                        ts="1336363200”,                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   Runtime   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01