SlideShare a Scribd company logo

WSO2Con USA 2015: Securing your APIs: Patterns and More

WSO2, profile picture
WSO2

The document discusses various API authentication mechanisms including HTTP basic, digest, TLS mutual authentication, and OAuth versions 1.0 and 2.0. It covers implementation details and examples while also highlighting fine-grained access control strategies such as XACML architecture and User Managed Access (UMA). Additionally, it mentions token introspection and the use of chained APIs for centralized authorization in distributed systems.

Technology
1 of 22
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
API  Security     Pa.erns  and  More   Prabath  Siriwardena   Director  of  Security  Architecture   WSO2  
Direct  Authen,ca,on   •  HTTP  Basic  Authentication   •  HTTP  Digest  Authentication   •  TLS  Mutual  Authentication   •  OAuth  1.o  :  Two  Legged  OAuth   •  OAuth  2.o  :  Client  Credentials   •  NTLM  /  Kerberos      
HTTP  Basic  Authen,ca,on          curl        -­‐I    -­‐u  $GitHubUserName:GitHubPassword        -­‐X  POST  -­‐H  'Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded’    -­‐d  '{"name":  "my_github_repo"}'      hPps://api.github.com/user/repos   §  Creating  a  GitHub  repository  
HTTP  Digest  Authen,ca,on   curl  -­‐k  –-­‐digest  –u  userName:password  -­‐v  hPps://localhost:8443/recipe   HTTP/1.1  401  Unauthorized   WWW-­‐Authen,cate:  Digest  realm="cute-­‐cupcakes.com",   qop="auth”,   nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",   opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"   Authoriza,on:  Digest  username="prabath",  realm="cute-­‐cupcakes.com",   nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",  uri="/recipe",   cnonce="MTM5MDc4",  nc=00000001,  qop="auth",   response="f5bi64ba8596d1b9ad1514702f5a062",   opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"  
HTTP  Basic  vs.  Digest  Authen,ca,on  
TLS  Mutual  Authen,ca,on   curl    -­‐k  -­‐-­‐cert  client.pem    hPps://localhost:8443/recipe  
OAuth  1.0  :  Two  Legged  OAuth   POST  /student?name=pavithra  HTTP/1.1               Host:  server.com               Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded               Authoriza,on:  OAuth  realm="simple",                                             oauth_consumer_key="dsdsddDdsdsds  ",                                             oauth_token="  ",                                             oauth_signature_method="HMAC-­‐SHA1",                                             oauth_,mestamp="1474343201",   oauth_nonce="rerwerweJHKjhkdsjhkhj",                                             oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"                                              
OAuth  2.0  :  Client  Creden,als   curl  -­‐v  -­‐X  POST                          -­‐-­‐basic  -­‐u  588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b  ]                        -­‐H  "Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded;charset=UTF-­‐8”                        -­‐d  "client_id=588997174524690&grant_type=client_creden,als"                          hPps://graph.facebook.com/oauth/access_token                                              
Kerberos  /  NTLM   §  Can  be  implemented  as  OAuth  2.0  grant  types  
Brokered  Authen,ca,on   §  SAML  2.0  grant  type  for  OAuth  2.0  
Brokered  Authen,ca,on   §  SAML  2.0  grant  type  for  OAuth  2.0  
Brokered  Authen,ca,on   §  JWT  grant  type  for  OAuth  2.0  
Fine-­‐grained  Access  Control  
Fine-­‐grained  Access  Control        POST  /introspec,on  HTTP/1.1        Accept:  applica,on/x-­‐www-­‐form-­‐urlencoded        Host:  server.example.com        Authoriza,on:  Basic  czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3          token=X3241Affw.4233-­‐99JXJ&resource_id=…     {          "ac,ve":  true,          "client_id":"s6BhdRkqt3",          "scope":  "read  write  dolphin",          "sub":  "2309x32kl",          "aud":  hPp://example.org/protected-­‐resource/*   }   §  Token  Introspection  
Fine-­‐grained  Access  Control   §  XACML  Architecture  
Fine-­‐grained  Access  Control   §  XACML  Request   <Request>              <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:oauth-­‐client">                        <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:client:client-­‐id">                                <A.ributeValue                                              DataType="h.p://www.w3.org/2001/XMLSchema#string">32324343434</A.ributeValue>                      </A.ribute>            <A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:ac,on">                    <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:acUon:acUon-­‐id">                            <A.ributeValue                                            DataType="h.p://www.w3.org/2001/XMLSchema#string">GET</A.ributeValue>                  </A.ribute>          </A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:scope">                <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id">                              <A.ributeValue                                                  DataType="h.p://www.w3.org/2001/XMLSchema#string">user_acUviUes</A.ributeValue>                </A.ribute>          </A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:resource">                  <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id">                              <A.ributeValue                                                DataType="h.p://www.w3.org/2001/XMLSchema#string">                                                                                  h.ps://graph.facebook.com/prabathsiriwardena/acUviUes</A.ributeValue>                  </A.ribute>          </A.ributes>   </Request>  
Fine-­‐grained  Access  Control   §  XACML  Policy   <Policy>            <Target>                      <AnyOf>                                  <AllOf>                                            <Match  MatchId="urn:oasis:names:tc:xacml:1.0:funcUon:string-­‐equal">                                                    <A.ributeValue                                                                        DataType="h.p://www.w3.org/2001/XMLSchema#string">                                                                  user_ac,vi,es</A.ributeValue>                                                    <A.ributeDesignator  MustBePresent="false"                                                                          Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:scope"                                                                      A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id"                                                                        DataType="h.p://www.w3.org/2001/XMLSchema#string"></A.ributeDesignator>                                              </Match>                                  </AllOf>                    </AnyOf>          </Target>          <Rule  RuleId="permit_rule"  Effect="Permit">          </Rule>          <Rule  RuleId="deny_rule"  Effect="Deny">          </Rule>   </Policy>  
Chained  APIs    
Chained  APIs     POST  /token  HTTP/1.1     Host:  authz.server.net     Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded       grant_type=  hPp://oauth.net/grant_type/chain     oauth_token=dsddDLJkuiiuieqjhk238khjh     scope=read     HTTP/1.1  200  OK     Content-­‐Type:  applica,on/json;charset=UTF-­‐8     Cache-­‐Control:  no-­‐store     Pragma:  no-­‐cache       {  "access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",   "expires_in":1800,  }    
Centralized  Authoriza,on  with  Distributed  Resource  Servers  
User  Managed  Access  (UMA)   •  PAT  (Protection  API  Token)  :  Token  issued  to  the  Resource  Server  to     access  the  Protection  API  (Authorization  Server)  with  the  approval   of  the  Resource  Owner.   •  AAT  (Authorization  API  Token)  :  Token  issued  to  the  Client  to   access  the  Authorization  API  (Authorization  Server)..   •  RPT  (Requesting  Party  Token)  :  Token  issued  to  the  Client  to  access   the  Protected  Resource  on  behalf  of  the  Requesting  Party  by  the   Authorization  Server.      
Thank  You  

More Related Content

PDF
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
PDF
Apache CouchDB talk at Ontario GNU Linux Fest
Myles Braithwaite
 
PDF
Forget the Web
Remy Sharp
 
PDF
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
PDF
Codified PostgreSQL Schema
Sean Chittenden
 
PPTX
Mug17 gurgaon
Ankur Raina
 
PPTX
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
PDF
HTTP For the Good or the Bad
Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
Apache CouchDB talk at Ontario GNU Linux Fest
Myles Braithwaite
 
Forget the Web
Remy Sharp
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
Codified PostgreSQL Schema
Sean Chittenden
 
Mug17 gurgaon
Ankur Raina
 
Top 10 F5 iRules to migrate to a modern load balancing platform
Avi Networks
 
HTTP For the Good or the Bad
Xavier Mertens
 

What's hot (20)

PDF
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
PPTX
Ajax basics
Hernán Garzón de la Roza
 
PDF
Py conkr 20150829_docker-python
Eric Ahn
 
PPTX
Secure Coding for NodeJS
Thang Chung
 
PDF
Keep it simple web development stack
Eric Ahn
 
PPTX
Things Your Mother Didnt Tell You About Bundle Configurations - Symfony Live…
D
 
PPTX
Things Your Mother Didn't Tell You About Bundle Configurations - Symfony Live...
D
 
PPT
Advanced Json
guestfd7d7c
 
PDF
神に近づくx/net/context (Finding God with x/net/context)
guregu
 
TXT
Agile Testing Days 2018 - API Fundamentals - postman collection
JoEllen Carter
 
PDF
RESTFUL SERVICES MADE EASY: THE EVE REST API FRAMEWORK - Nicola Iarocci - Co...
Codemotion
 
PPTX
Twas the night before Malware...
DoktorMandrake
 
PDF
Search Evolution - Von Lucene zu Solr und ElasticSearch
Florian Hopf
 
PDF
Denys Serhiienko "ASGI in depth"
Fwdays
 
PDF
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
PDF
Nko workshop - node js crud & deploy
Simon Su
 
KEY
Deploying
soon
 
PDF
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
 
PDF
Philipp Krenn "Make Your Data FABulous"
Fwdays
 
PDF
Ben Bridts - $ aws help
AWSCOMSUM
 
Varnish Cache and Django (Falcon, Flask etc)
Данил Иванов
 
Ajax basics
Hernán Garzón de la Roza
 
Py conkr 20150829_docker-python
Eric Ahn
 
Secure Coding for NodeJS
Thang Chung
 
Keep it simple web development stack
Eric Ahn
 
Things Your Mother Didnt Tell You About Bundle Configurations - Symfony Live…
D
 
Things Your Mother Didn't Tell You About Bundle Configurations - Symfony Live...
D
 
Advanced Json
guestfd7d7c
 
神に近づくx/net/context (Finding God with x/net/context)
guregu
 
Agile Testing Days 2018 - API Fundamentals - postman collection
JoEllen Carter
 
RESTFUL SERVICES MADE EASY: THE EVE REST API FRAMEWORK - Nicola Iarocci - Co...
Codemotion
 
Twas the night before Malware...
DoktorMandrake
 
Search Evolution - Von Lucene zu Solr und ElasticSearch
Florian Hopf
 
Denys Serhiienko "ASGI in depth"
Fwdays
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
Nko workshop - node js crud & deploy
Simon Su
 
Deploying
soon
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin
 
Philipp Krenn "Make Your Data FABulous"
Fwdays
 
Ben Bridts - $ aws help
AWSCOMSUM
 
Ad

Similar to WSO2Con USA 2015: Securing your APIs: Patterns and More (20)

PDF
Best Practices in Building an API Security Ecosystem
WSO2
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Api security-eic-prabath
WSO2
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
PDF
The Current State of OAuth 2
Aaron Parecki
 
PDF
Distributed Identities with OpenID
Bastian Hofmann
 
PDF
Distributed Identities with OpenID
Bastian Hofmann
 
PPTX
API Security : Patterns and Practices
Prabath Siriwardena
 
PDF
Rest api titouan benoit
Titouan BENOIT
 
PDF
O auth how_to
vivaqa
 
PDF
Authorization with oAuth
Vivastream
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PPTX
Rest API Security
Stormpath
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
PPTX
OAuth 2 at Webvisions
Aaron Parecki
 
PDF
Securing APIs
WSO2
 
PPT
Oauth
立晨 代
 
PPTX
(1) OAuth 2.0 Overview
anikristo
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Best Practices in Building an API Security Ecosystem
WSO2
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Api security-eic-prabath
WSO2
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
The Current State of OAuth 2
Aaron Parecki
 
Distributed Identities with OpenID
Bastian Hofmann
 
Distributed Identities with OpenID
Bastian Hofmann
 
API Security : Patterns and Practices
Prabath Siriwardena
 
Rest api titouan benoit
Titouan BENOIT
 
O auth how_to
vivaqa
 
Authorization with oAuth
Vivastream
 
Draft Ietf Oauth V2 12
Vishal Shah
 
Rest API Security
Stormpath
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
CA API Management
 
OAuth 2 at Webvisions
Aaron Parecki
 
Securing APIs
WSO2
 
Oauth
立晨 代
 
(1) OAuth 2.0 Overview
anikristo
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Ad

More from WSO2 (20)

PDF
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
PDF
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
PDF
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
PDF
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
PDF
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
PDF
Platformless Modernization with Choreo.pdf
WSO2
 
PDF
Application Modernization with Choreo for the BFSI Sector
WSO2
 
PDF
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
PDF
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
PPTX
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
PPTX
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
PPTX
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
PPTX
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
PPTX
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
PDF
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
PDF
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
PDF
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
Demystifying CMS-0057-F - Compliance Made Seamless with WSO2
WSO2
 
Quantum Threats Are Closer Than You Think – Act Now to Stay Secure
WSO2
 
Modern Platform Engineering with Choreo - The AI-Native Internal Developer Pl...
WSO2
 
Application Modernization with Choreo - The AI-Native Internal Developer Plat...
WSO2
 
Build Smarter, Deliver Faster with Choreo - An AI Native Internal Developer P...
WSO2
 
Platformless Modernization with Choreo.pdf
WSO2
 
Application Modernization with Choreo for the BFSI Sector
WSO2
 
Choreo - The AI-Native Internal Developer Platform as a Service: Overview
WSO2
 
[Roundtable] Choreo - The AI-Native Internal Developer Platform as a Service
WSO2
 
WSO2Con 2025 - Building AI Applications in the Enterprise (Part 1)
WSO2
 
WSO2Con 2025 - Building Secure Business Customer and Partner Experience (B2B)...
WSO2
 
WSO2Con 2025 - Building Secure Customer Experience Apps
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - AI-Driven API Design, Development, and Consumption with Enhanc...
WSO2
 
WSO2Con 2025 - Unified Management of Ingress and Egress Across Multiple API G...
WSO2
 
WSO2Con 2025 - How an Internal Developer Platform Lets Developers Focus on Code
WSO2
 
WSO2Con 2025 - Architecting Cloud-Native Applications
WSO2
 
Mastering Intelligent Digital Experiences with Platformless Modernization
WSO2
 
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 

Recently uploaded (20)

PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 

WSO2Con USA 2015: Securing your APIs: Patterns and More

  • 1. API  Security     Pa.erns  and  More   Prabath  Siriwardena   Director  of  Security  Architecture   WSO2  
  • 2. Direct  Authen,ca,on   •  HTTP  Basic  Authentication   •  HTTP  Digest  Authentication   •  TLS  Mutual  Authentication   •  OAuth  1.o  :  Two  Legged  OAuth   •  OAuth  2.o  :  Client  Credentials   •  NTLM  /  Kerberos      
  • 3. HTTP  Basic  Authen,ca,on          curl        -­‐I    -­‐u  $GitHubUserName:GitHubPassword        -­‐X  POST  -­‐H  'Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded’    -­‐d  '{"name":  "my_github_repo"}'      hPps://api.github.com/user/repos   §  Creating  a  GitHub  repository  
  • 4. HTTP  Digest  Authen,ca,on   curl  -­‐k  –-­‐digest  –u  userName:password  -­‐v  hPps://localhost:8443/recipe   HTTP/1.1  401  Unauthorized   WWW-­‐Authen,cate:  Digest  realm="cute-­‐cupcakes.com",   qop="auth”,   nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",   opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"   Authoriza,on:  Digest  username="prabath",  realm="cute-­‐cupcakes.com",   nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422",  uri="/recipe",   cnonce="MTM5MDc4",  nc=00000001,  qop="auth",   response="f5bi64ba8596d1b9ad1514702f5a062",   opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"  
  • 5. HTTP  Basic  vs.  Digest  Authen,ca,on  
  • 6. TLS  Mutual  Authen,ca,on   curl    -­‐k  -­‐-­‐cert  client.pem    hPps://localhost:8443/recipe  
  • 7. OAuth  1.0  :  Two  Legged  OAuth   POST  /student?name=pavithra  HTTP/1.1               Host:  server.com               Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded               Authoriza,on:  OAuth  realm="simple",                                             oauth_consumer_key="dsdsddDdsdsds  ",                                             oauth_token="  ",                                             oauth_signature_method="HMAC-­‐SHA1",                                             oauth_,mestamp="1474343201",   oauth_nonce="rerwerweJHKjhkdsjhkhj",                                             oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"                                              
  • 8. OAuth  2.0  :  Client  Creden,als   curl  -­‐v  -­‐X  POST                          -­‐-­‐basic  -­‐u  588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b  ]                        -­‐H  "Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded;charset=UTF-­‐8”                        -­‐d  "client_id=588997174524690&grant_type=client_creden,als"                          hPps://graph.facebook.com/oauth/access_token                                              
  • 9. Kerberos  /  NTLM   §  Can  be  implemented  as  OAuth  2.0  grant  types  
  • 10. Brokered  Authen,ca,on   §  SAML  2.0  grant  type  for  OAuth  2.0  
  • 11. Brokered  Authen,ca,on   §  SAML  2.0  grant  type  for  OAuth  2.0  
  • 12. Brokered  Authen,ca,on   §  JWT  grant  type  for  OAuth  2.0  
  • 14. Fine-­‐grained  Access  Control        POST  /introspec,on  HTTP/1.1        Accept:  applica,on/x-­‐www-­‐form-­‐urlencoded        Host:  server.example.com        Authoriza,on:  Basic  czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3          token=X3241Affw.4233-­‐99JXJ&resource_id=…     {          "ac,ve":  true,          "client_id":"s6BhdRkqt3",          "scope":  "read  write  dolphin",          "sub":  "2309x32kl",          "aud":  hPp://example.org/protected-­‐resource/*   }   §  Token  Introspection  
  • 15. Fine-­‐grained  Access  Control   §  XACML  Architecture  
  • 16. Fine-­‐grained  Access  Control   §  XACML  Request   <Request>              <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:oauth-­‐client">                        <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:client:client-­‐id">                                <A.ributeValue                                              DataType="h.p://www.w3.org/2001/XMLSchema#string">32324343434</A.ributeValue>                      </A.ribute>            <A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:ac,on">                    <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:acUon:acUon-­‐id">                            <A.ributeValue                                            DataType="h.p://www.w3.org/2001/XMLSchema#string">GET</A.ributeValue>                  </A.ribute>          </A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:aPribute-­‐category:scope">                <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id">                              <A.ributeValue                                                  DataType="h.p://www.w3.org/2001/XMLSchema#string">user_acUviUes</A.ributeValue>                </A.ribute>          </A.ributes>          <A.ributes  Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:resource">                  <A.ribute  A.ributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-­‐id">                              <A.ributeValue                                                DataType="h.p://www.w3.org/2001/XMLSchema#string">                                                                                  h.ps://graph.facebook.com/prabathsiriwardena/acUviUes</A.ributeValue>                  </A.ribute>          </A.ributes>   </Request>  
  • 17. Fine-­‐grained  Access  Control   §  XACML  Policy   <Policy>            <Target>                      <AnyOf>                                  <AllOf>                                            <Match  MatchId="urn:oasis:names:tc:xacml:1.0:funcUon:string-­‐equal">                                                    <A.ributeValue                                                                        DataType="h.p://www.w3.org/2001/XMLSchema#string">                                                                  user_ac,vi,es</A.ributeValue>                                                    <A.ributeDesignator  MustBePresent="false"                                                                          Category="urn:oasis:names:tc:xacml:3.0:a.ribute-­‐category:scope"                                                                      A.ributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-­‐id"                                                                        DataType="h.p://www.w3.org/2001/XMLSchema#string"></A.ributeDesignator>                                              </Match>                                  </AllOf>                    </AnyOf>          </Target>          <Rule  RuleId="permit_rule"  Effect="Permit">          </Rule>          <Rule  RuleId="deny_rule"  Effect="Deny">          </Rule>   </Policy>  
  • 19. Chained  APIs     POST  /token  HTTP/1.1     Host:  authz.server.net     Content-­‐Type:  applica,on/x-­‐www-­‐form-­‐urlencoded       grant_type=  hPp://oauth.net/grant_type/chain     oauth_token=dsddDLJkuiiuieqjhk238khjh     scope=read     HTTP/1.1  200  OK     Content-­‐Type:  applica,on/json;charset=UTF-­‐8     Cache-­‐Control:  no-­‐store     Pragma:  no-­‐cache       {  "access_token":"2YotnFZFEjr1zCsicMWpAA",  "token_type":"Bearer",   "expires_in":1800,  }    
  • 20. Centralized  Authoriza,on  with  Distributed  Resource  Servers  
  • 21. User  Managed  Access  (UMA)   •  PAT  (Protection  API  Token)  :  Token  issued  to  the  Resource  Server  to     access  the  Protection  API  (Authorization  Server)  with  the  approval   of  the  Resource  Owner.   •  AAT  (Authorization  API  Token)  :  Token  issued  to  the  Client  to   access  the  Authorization  API  (Authorization  Server)..   •  RPT  (Requesting  Party  Token)  :  Token  issued  to  the  Client  to  access   the  Protected  Resource  on  behalf  of  the  Requesting  Party  by  the   Authorization  Server.