Securing RESTful APIs using OAuth 2 and OpenID Connect
Post on 28-Jan-2015
1679 Views
Preview:
DESCRIPTION
Transcript
Securing RESTful APIsUsing OAuth 2 and OpenID Connect
Jonathan LeBlanc (@jcleblanc)
Global Head of Developer Evangelism at PayPal
Why do we Need This?
Poor Password Choices
• 4.7% of users have the password password;
• 8.5% have the passwords password or 123456;
• 9.8% have the passwords password, 123456 or 12345678;
• 14% have a password from the top 10 passwords
• 40% have a password from the top 100 passwords
• 79% have a password from the top 500 passwords
• 91% have a password from the top 1000 passwords
…And of What’s Left
1. Pet’s name
2. Significant dates (like a wedding anniversary)
3. Date of birth of close relation
4. Child’s name
5. Other family member’s name
6. Place of birth
7. Favorite holiday
8. Something related to favorite football team
9. Current partner’s name
Handing Over Account Passwords
Malicious Applications
Aspects of Revocation
App Revoked by User
App Revoked by Service Provider
Path to the Standard
Username & Password to Auth
Rise of the Token
Two Widely Used Specifications
REST Request Components
How Requests are Made
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'
How Auth is Added in
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization: Bearer {accessToken}" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'
Attack Vectors
Man in the Middle
Replay Attacks
Cross-Site Request Forgery (CSRF)
Adding in the Auth
Rate Limiting and Attack Vector Protection
Having the ability to revoke application access
Needing to allow users to revoke an applications access to their data
Reasons for Auth
When You Need Access Security
User Login (authentication)
User Involvement (authorization)
Application Only (monitoring)
Practical Implementation
Prepare the Redirect URIAuthorization Endpointclient_id response_type (token)scope redirect_uri
Browser RedirectRedirect URI
Redirect the User to Log In
Fetch the Access TokenAccess Token Endpointclient_id grant_typeclient_secret code
HTTP POSTAccess Token Endpoint
Fetching the Access Token
Fetching the Access Token
curl https://api.sandbox.paypal.com/v1/oauth2/token \ -H "Accept: application/json" \ -H "Accept-Language: en_US" \ -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" \ -d "grant_type=client_credentials"
Access Token Response
{ "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800}
Fetch Privileged ResourcesResource EndpointToken Type (Authorization header) Access Token (Authorization header)
HTTP GET / PUT / POST / DELETEResource Endpoint
Using the Access Token
Using the Access Token
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization:Bearer EMxItHE7Zl4cMdkv…" \-d "{...}"
Maintaining SDK Consistency
Defining APIs with WADL / WSDL
<?xml version="1.0" encoding="UTF-8"?><description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service></description>
<?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
Building SDKs Automatically
Genio (templates)https://github.com/paypal/genio
Genio Parser (model builder) https://github.com/paypal/genio-
parserGenio Samples
https://github.com/paypal/genio-sample
REST and OAuth are specifications, not religions
Don’t alienate your developers with security
Open source is your friend
Final Considerations
Thank You! Questions?
http://slideshare.net/jcleblancJonathan LeBlanc (@jcleblanc)
Global Head of Developer Evangelism at PayPal
top related