Securing RESTful APIs using OAuth 2 and OpenID Connect

Securing RESTful APIsUsing OAuth 2 and OpenID Connect

Jonathan LeBlanc (@jcleblanc)

Global Head of Developer Evangelism at PayPal

Why do we Need This?

Poor Password Choices

• 4.7% of users have the password password;

• 8.5% have the passwords password or 123456;

• 9.8% have the passwords password, 123456 or 12345678;

• 14% have a password from the top 10 passwords

• 40% have a password from the top 100 passwords

• 79% have a password from the top 500 passwords

• 91% have a password from the top 1000 passwords

…And of What’s Left

1. Pet’s name

2. Significant dates (like a wedding anniversary)

3. Date of birth of close relation

4. Child’s name

5. Other family member’s name

6. Place of birth

7. Favorite holiday

8. Something related to favorite football team

9. Current partner’s name

Handing Over Account Passwords

Malicious Applications

Aspects of Revocation

App Revoked by User

App Revoked by Service Provider

Path to the Standard

Username & Password to Auth

Rise of the Token

Two Widely Used Specifications

REST Request Components

How Requests are Made

curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'

How Auth is Added in

curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization: Bearer {accessToken}" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'

Attack Vectors

Man in the Middle

Replay Attacks

Cross-Site Request Forgery (CSRF)

Adding in the Auth

Rate Limiting and Attack Vector Protection

Having the ability to revoke application access

Needing to allow users to revoke an applications access to their data

Reasons for Auth

When You Need Access Security

User Login (authentication)

User Involvement (authorization)

Application Only (monitoring)

Practical Implementation

Prepare the Redirect URIAuthorization Endpointclient_id response_type (token)scope redirect_uri

Browser RedirectRedirect URI

Redirect the User to Log In

Fetch the Access TokenAccess Token Endpointclient_id grant_typeclient_secret code

HTTP POSTAccess Token Endpoint

Fetching the Access Token

Fetching the Access Token

curl https://api.sandbox.paypal.com/v1/oauth2/token \ -H "Accept: application/json" \ -H "Accept-Language: en_US" \ -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" \ -d "grant_type=client_credentials"

Access Token Response

{ "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800}

Fetch Privileged ResourcesResource EndpointToken Type (Authorization header) Access Token (Authorization header)

HTTP GET / PUT / POST / DELETEResource Endpoint

Using the Access Token

Using the Access Token

curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization:Bearer EMxItHE7Zl4cMdkv…" \-d "{...}"

Maintaining SDK Consistency

Defining APIs with WADL / WSDL

<?xml version="1.0" encoding="UTF-8"?><description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service></description>

<?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>

Building SDKs Automatically

Genio (templates)https://github.com/paypal/genio

Genio Parser (model builder) https://github.com/paypal/genio-

parserGenio Samples

https://github.com/paypal/genio-sample

REST and OAuth are specifications, not religions

Don’t alienate your developers with security

Open source is your friend

Final Considerations

Thank You! Questions?

http://slideshare.net/jcleblancJonathan LeBlanc (@jcleblanc)

Global Head of Developer Evangelism at PayPal