API Security : Patterns and Practices
Download as PPTX, PDF13 likes4,693 views
The document discusses API security patterns and practices. It covers topics like API gateways, authentication methods like basic authentication and OAuth 2.0, authorization with XACML policies, and securing APIs through measures like TLS, JWTs, and throttling to ensure authentication, authorization, confidentiality, integrity, non-repudiation, and availability. Key points covered include the gateway pattern, direct vs brokered authentication, JSON web tokens for self-contained access tokens, and combining OAuth and XACML for fine-grained access control.
Ad
More Related Content
What's hot (20)
Similar to API Security : Patterns and Practices (20)
Ad
More from Prabath Siriwardena (20)
Ad
Recently uploaded (20)
![Get & Download Wondershare Filmora Crack Latest [2025]](https://cdn.slidesharecdn.com/ss_thumbnails/revolutionizingresidentialwi-fi-250422112639-60fb726f-250429170801-59e1b240-thumbnail.jpg?width=560&fit=bounds)
API Security : Patterns and Practices
- 1. Prabath Siriwardena Director of Security Architecture WSO2 API Security Patterns and Practices
- 3. Gateway Pattern • Decouple clients from the actual API implementation • No point-to-point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
- 4. Six key attributes of a secured design • Only legitimate users can access the system (authentication) • The system won’t allow users to do anything more than what they are supposed to do (authorization) • Confidential data can only be seen by the intended recipients, nobody else (confidentiality) • Integrity of the transactions are protected (integrity) • Protected for non-repudiation • They system is available for legitimate users to access, all the time (availability)
- 5. Direct Authentication • HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 2.0 (for authentication ?)
- 6. HTTP Basic Authentication curl -I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos Creating a GitHub repository
- 7. HTTP Digest Authentication curl -k –-digest –u userName:password -v https://localhost:8443/recipe HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED" Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
- 8. HTTP Basic vs. Digest Authentication
- 9. TLS Mutual Authentication Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server. curl -k --cert client.pem https://localhost:8443/recipe
- 10. OAuth 2.0 (authorization code grant type)
- 11. OAuth 2.0 (implicit grant type)
- 12. OAuth 2.0 (password grant type)
- 13. OAuth 2.0 (client credentials grant type)
- 14. OAuth 2.0 (chained grant type)
- 15. OAuth 2.0 Tokens AccessTokens Bearer tokens vs. Mac TLS is a must Pass the access token in the HTTP Authorization header Authorization: Bearer <token> Pass the access token in as a URL query parameter Avoid this Request Cache-Control: no-store Response Cache-Control: private E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1. Shorter life-time – in minutes or hours Do not store in cookies Issue scoped tokens
- 16. OAuth 2.0 Tokens RefreshTokens Must useTLS Long-lasting No refresh tokens under implicit grant type client credentials grant type SAML grant type JWT grant type
- 17. Self-contained Access Tokens JWT RFC 7519 Encodes claims to be transmitted as a JSON object Can be signed using JWS (JSON Web Signature) Can be encrypted using JWE (JSON Web Encryption) Represented as a sequence of URL-safe parts separated by period ('.') characters. Each part contains a base64url-encoded value Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ .dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
- 18. Self-issued Access Tokens Same as self-contained access tokens Issued by the client itself
- 19. Brokered Authentication • TLS Mutual Authentication • OAuth 2.0
- 20. OAuth 2.0 (decoupling end user authentication from the authorization server)
- 21. OAuth 2.0 (SAML grant type)
- 22. OAuth 2.0 (JWT grant type)
- 24. Authorization
- 25. XACML
- 26. OAuth & XACML A given access token has a scope associated with it and it governs the access token’s capabilities A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy. token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
- 27. Token Introspection POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=… { "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
- 28. XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
- 29. XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
- 33. High Availability • Network level measures • Throttling • Client level • User level
- 34. Thank You