Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Api Protection

Armen Mkrtchyan
October 27, 2017
Technology
2
410

Api Protection

Building a secure API is one of the most common requirements in the market nowadays. Yet there are many strategies with their strengths and fallbacks, some simple, some complex. Let’s together walk through the existing strategies and take a look at a solution, that could, potentially, end this discussion once and for all.

Armen Mkrtchyan

October 27, 2017
Tweet

More Decks by Armen Mkrtchyan

See All by Armen Mkrtchyan
REST my dongle #kreait-dev-days
iamtankist
1
110
Life on the edge between AngularJS and Symfony2
iamtankist
9
3.5k

Other Decks in Technology

See All in Technology
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
100
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
140
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
170
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
強いチームと開発生産性
onk
PRO
35
11k
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
210
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
700

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
52
13k
How to Ace a Technical Interview
jacobian
276
23k
BBQ
matthewcrist
85
9.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Typedesign – Prime Four
hannesfritz
40
2.4k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Thoughts on Productivity
jonyablonski
67
4.3k
The Pragmatic Product Professional
lauravandoore
31
6.3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Rails Girls Zürich Keynote
gr2m
94
13k
Building Applications with DynamoDB
mza
90
6.1k

Transcript

  1. PROTECTING YOUR API
 THE PAST, THE PRESENT AND THE FUTURE

    ARMEN MKRTCHYAN
  2. None

  3. ARMEN MKRTCHYAN @IAMTANKIST (github, twitter, telegram)

  4. YOU CAN WRITE A LOT OF TEXT ON BLACK BACKGROUND

    HERE.
  5. None

  6. osmihelp.org

  7. PROTECTING YOUR API
 THE PAST, THE PRESENT AND THE FUTURE

    ARMEN MKRTCHYAN

  8. AUTH CODE REFRESH_TOKEN ACCESS_TOKEN API KEY BEARER TOKEN ID_TOKEN

  9. AUTH CODE REFRESH_TOKEN ACCESS_TOKEN API KEY BEARER TOKEN ID_TOKEN TOKEN?

  10. TOKEN WILLIAMS Aliases Blackie Gender Male Hair Black Age 10

    Occupation Student Grade 4th Grade

  11. noun to·ken \ ˈtō-kən \ TOKEN „something given or shown

    as a guarantee (as of authority, right, or identity)“
  12. None

  13. HTTP BASIC AUTH

  14. $ sudo htpasswd -c /etc/apache2/.htpasswd user1 $ cat /etc/apache2/.htpasswd user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0

    STEP 1

  15. STEP 2 - NGINX CONFIGURATION ... http { server {

    location /foo/bar { auth_basic "Protected Area"; auth_basic_user_file /etc/apache2/.htpasswd; } } } ...

  16. STEP 3 - USE Access url in the browser -

    fill in the dialog base64_encode('user:password') => d3BhbG1lcjp0ZXN0dGVzdA== GET / HTTP/1.1
 Host: example.com
 Authorization: Basic d3BhbG1lcjp0ZXN0dGVzdA== // embed in URL
 https://user:[email protected] 2 1 3

  17. STEP 3 - USE Access url in the browser -

    fill in the dialog base64_encode('user:password') => d3BhbG1lcjp0ZXN0dGVzdA== GET / HTTP/1.1
 Host: example.com
 Authorization: Basic d3BhbG1lcjp0ZXN0dGVzdA== // embed in URL
 https://user:[email protected] 2 1 3

  18. OAUTH 1

  19. STEP 1 - INITIALISE POST /initiate HTTP/1.1
 Host: photos.example.net
 Authorization:

    OAuth realm="Photos", \
 oauth_consumer_key="dpf43f3p2l4k3l03", \
 oauth_signature_method="HMAC-SHA1", \
 oauth_timestamp="137131200", \
 oauth_nonce="wIjqoS", \
 oauth_callback="http%3A%2F%2Fclient.example.com%2Fready", \
 oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" \ HTTP/1.1 200 OK
 Content-Type: application/x-www-form-urlencoded
 oauth_token=hh5s93j4hdidpola&
 oauth_token_secret=hdhd0244k9j7ao03&
 oauth_callback_confirmed=true

  20. STEP 1 - INITIALISE POST /initiate HTTP/1.1
 Host: photos.example.net
 Authorization:

    OAuth realm="Photos", \
 oauth_consumer_key="dpf43f3p2l4k3l03", \
 oauth_signature_method="HMAC-SHA1", \
 oauth_timestamp="137131200", \
 oauth_nonce="wIjqoS", \
 oauth_callback="http%3A%2F%2Fclient.example.com%2Fready", \
 oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" \ HTTP/1.1 200 OK
 Content-Type: application/x-www-form-urlencoded
 oauth_token=hh5s93j4hdidpola&
 oauth_token_secret=hdhd0244k9j7ao03&
 oauth_callback_confirmed=true

  21. STEP 2 - AUTHORIZATION GET /authorize?oauth_token=hh5s93j4hdidpola HTTP/1.1
 Host: photos.example.net //

    Asks for username and login and redirects to http://<oauth_callback>? \
 oauth_token=hh5s93j4hdidpola& \
 oauth_verifier=hfdp7dh39dks9884

  22. STEP 3 - TOKEN POST /token HTTP/1.1 Host: photos.example.net Authorization:

    OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", \ oauth_token="hh5s93j4hdidpola", \ oauth_signature_method="HMAC-SHA1", \ oauth_timestamp="137131201", \ oauth_nonce="walatlh", \ oauth_verifier="hfdp7dh39dks9884", \ oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D" // redirects back with to http://<oauth_callback>? \ oauth_token=hh5s93j4hdidpola& \ oauth_verifier=hfdp7dh39dks9884

  23. STEP 4 - USING TOKEN GET /photos?file=vacation.jpg&size=original HTTP/1.1 Host: photos.example.net

    Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="nnch734d00sl2jdk", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131202", oauth_nonce="chapoH", oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"

  24. OAUTH 2

  25. • More OAuth Flows • No client-side cryptography • Expiration

    of access_tokens

  26. CLIENTS SERVICE Users Admins Services 3rd-Party Services Monitoring Things

  27. LETS TALK ABOUT LEGS!

  28. None

  29. 2-LEGGED/3-LEGGED AUTHENTICATION

  30. None
  31. None

  32. 3-LEGGED 2-LEGGED SERVICE Users Admins Services 3rd-Party Services Monitoring Things

  33. CLIENT_ID CLIENT_SECRET REDIRECT_URI GRANT_TYPES SCOPES CLIENT

  34. AUTHORIZATION CODE CLIENT CREDENTIALS PASSWORD IMPLICIT REFRESH CUSTOM GRANT TYPES

    ACCESS_TOKEN

  35. AUTHORIZATION CODE 3-LEGGED

  36. AUTHORIZAION CODE - STEP 1 POST /authorize HTTP/1.1 Host: photos.example.net

    Content-Type: application/x-www-form-urlencoded response_type=code& \ client_id=CLIENT_ID& \ redirect_uri=https://client.example.com/cb& \ scope=email,birthday& \ state=csrf_string // Asks for user authorisation and redirects back HTTP/1.1 302 Found Location: https://client.example.com/cb?code=CODE&state=csrf_string

  37. AUTHORIZAION CODE - STEP 2 POST /token HTTP/1.1 Host: photos.example.net

    Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& \ code=CODE& \ redirect_uri=https://client.example.com/cb& \ client_id=CLIENT_id& Content-Type: application/json;charset=UTF-8 { "access_token":"2YotnFZFEjr1zCsicMWpAA", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }

  38. CLIENT CREDENTIALS 2-LEGGED

  39. POST /token HTTP/1.1 Host: photos.example.net Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& \ client_id=CLIENT_id&

    \ client_secret=CLIENT_SECRET Content-Type: application/json;charset=UTF-8 { "access_token":"2YotnFZFEjr1zCsicMWpAB", "expires_in":3600 }

  40. USING ACCESS_TOKEN

  41. GET /photos HTTP/1.1 Host: photos.example.net Authorization: Bearer 2YotnFZFEjr1zCsicMWpAB

  42. GET /photos HTTP/1.1 Host: photos.example.net Authorization: Bearer 2YotnFZFEjr1zCsicMWpAB

  43. SELF-INVENTED SOLUTIONS

  44. None

  45. JWT

  46. None

  47. • ISS - ISSUER (AKA ORIGIN) • SUB - SUBJECT

    (AKA USER_ID) • AUD - AUDIENCE (AKA CLIENT_ID) • EXP - EXPIRES AT • IAT - ISSUED AT JWT STANDARD CLAIMS
  48. None

  49. lexik/LexikJWTAuthenticationBundle POST /users/login?_username=...&_password=... HTTP/1.1 {token: "eyJhbGciOiJ..."} POST /photos HTTP/1.1 Authorization:

    Bearer eyJhbGciOiJ...

  50. lexik/LexikJWTAuthenticationBundle POST /users/login?_username=...&_password=... HTTP/1.1 {token: "eyJhbGciOiJ..."} POST /photos HTTP/1.1 Authorization:

    Bearer eyJhbGciOiJ...

  51. RETROSPECTIVE

  52. BASIC AUTH - NICE, PASS INVOLVED OAUTH1 - TOO COMPLEX

    OAUTH2 - SOLVES THE PROBLEM, BUT... SELF-INVENTED - NO* JWT - OVER-SIMPLISTIC *unless you really know what you are doing

  53. 37signals, Asana, Amazon, Auth0, Azure, Bitbucket, Bitly, BufferApp, Clever, DeviantArt,

    Discogs, Disqus, Dropbox, EVE Online, Eventbrite, Facebook, FI-WARE, Flickr, Foursquare, GitHub, GitLab, Google, Hubic, Instagram, itembase, Jira, Linkedin, Mail.ru, Odnoklassniki, PayPal, QQ, Reddit, Salesforce, SensioLabs Connect, Sina Weibo, Spotify, Soundcloud, Stack Exchange, Stereomood, Strava, Toshl, Trello, Twitch, Twitter, Wunderlist, Vkontakte, Windows Live, XING, Yahoo, Yandex HTTPS://GITHUB.COM/HWI/ HWIOAUTHBUNDLE

  54. OPENID CONNECT

  55. OAUTH2 + IDENTITY LAYER

  56. OAUTH2 + IDENTITY LAYER DISCOVERY DYNAMIC CLIENT REGISTRATION IMPLEMENTATION CERTIFICATION

    ID_TOKEN STANDARD CLAIMS SESSION MANAGEMENT JWKS FORM POST RESPONSE MODE
  57. None
  58. None

  59. AUTH0 DEUTSCHE TELEKOM GOOGLE MICROSOFT PAYPAL PRO7SAT1 RED HAT SALESFORCE

    SYMANTEC VERIZON

  60. WHAT CHANGED?

  61. AUTHORIZAION CODE - STEP 1 POST /authorize HTTP/1.1 Host: photos.example.net

    Content-Type: application/x-www-form-urlencoded response_type=code& \ client_id=CLIENT_ID& \ redirect_uri=https://client.example.com/cb& \ scope=email,birthday,openid& \ state=csrf_string // Asks for user authorisation and redirects back HTTP/1.1 302 Found Location: https://client.example.com/cb?code=CODE&state=csrf_string
  62. None

  63. { "access_token": "SlAV3...2hkKG", "token_type": "Bearer", "refresh_token": "8xLO...xBtZp8", "expires_in": 3600, "id_token":

    "eyJhbGci...OiJS.UzI1...ImtpZCI6.IjFlOWdkaz...cifQewo" }

  64. { "iss": "http://server.example.com", "sub": "248289761001", // aka user_id "aud": "s6BhdRkqt3",

    // aka client_id "nonce": "n-0S6_WzA2Mj", // aka CSRF token "exp": 1311281970, "iat": 1311280970 }

  65. USERINFO ENDPOINT

  66. GET /userinfo HTTP/1.1 Authorization: Bearer SlAV3...2hkKG { "sub": "248289761001", "name":

    "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg" } IT'S A STANDARD!!! (SECTION 5.2)

  67. GET /userinfo HTTP/1.1 Authorization: Bearer SlAV3...2hkKG { "sub": "248289761001", "name":

    "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "[email protected]", "picture": "http://example.com/janedoe/me.jpg" }

  68. DISCOVERY

  69. GET /.well-known/openid-configuration HTTP/1.1 Host: accounts.google.com Authorization: Bearer SlAV3...2hkKG { "issuer":

    "https://accounts.google.com", "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth", "token_endpoint": "https://www.googleapis.com/oauth2/v4/token", "userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo", "revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke", "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", "response_types_supported": [ "code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none" ], "scopes_supported": [ "openid", "email", "profile" ], "claims_supported": [ "aud", "email", "email_verified", "exp", "family_name", "given_name", "iat", "iss", "locale", "name", "picture", "sub" ] }

  70. ARE WE THERE YET?

  71. None

  72. EVERY TALK SHOULD DELIVER A MESSAGE

  73. „I might be no body, but wait ‘til I’m together

    like a symphony.“ – IMMORTAL TECHNIQUE – “THE PROPHECY”

  74. THANK YOU! PLEASE GIVE ME SOME FEEDBACK! @IAMTANKIST (github, twitter,

    telegram)