api security & federation patterns - francois lascelles, chief architect, layer 7 @ qcon sf
DESCRIPTION
The adoption of Mobile and Cloud applications drives API traffic across domains. OAuth 2.0 is being implemented in complex enterprise environments where new authorization endpoints are combined with various existing identity components, in various configurations. Handshakes are federated to help provide a single sign-on experience across applications and enhance adoption. Mediation between tokens at the edge of each domain helps extend existing data to new channels. Core grant types, extension grant types, custom schemes, standards, patterns and use cases – let us count the ways in which API access control is applied. This presentation will examine the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers.TRANSCRIPT
![Page 1: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/1.jpg)
API Security and Federation Patterns
QCon San Francisco - November 13, 2013Francois Lascelles, Chief Architect, Layer 7 Technologies
#qconsf
#OAuth
@flascelles
![Page 2: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/2.jpg)
2 API Security and Federation Patterns
Agenda
Introduction
API Security Components
Authorization Server Patterns– Two-way token issuing– Redirection-based token issuing– Nested handshakes– Federated handshakes– Other extension handshakes
Vulnerabilities and Mitigation– Fishing attacks– Public vs Confidential clients– Bearer vs MAC token types
Managing API Security
![Page 3: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/3.jpg)
3 API Security and Federation Patterns
Information fragmentation
– Users and organizations interact with IT assets fragmented across an increasing number of service providers, applications and devices
– In isolation, each asset provides limited value
Your Org
![Page 4: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/4.jpg)
4 API Security and Federation Patterns
Application-to-application interaction
– APIs let providers and applications interact
HTTP
REST
OData
XML/JSON
Web Services
![Page 5: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/5.jpg)
5 API Security and Federation Patterns
Secure API exchange
– These APIs deal with personal and/or sensitive information and need to be secured Confidentiality Integrity Availability …
![Page 6: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/6.jpg)
6 API Security and Federation Patterns
Interactions on behalf of users
– OAuth lets users and organizations control these interactions Express consent Limit scope Turn on/off
![Page 7: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/7.jpg)
7 API Security and Federation Patterns
API security logical components
IdP
Authorization Server
Application
Resource Server API Endpoint
Token Server
Policy Enforcement Point
User
![Page 8: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/8.jpg)
8 API Security and Federation Patterns
Authorization server patterns
Let us count the ways…
![Page 9: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/9.jpg)
9 API Security and Federation Patterns
Two-way handshakes
1. Authenticate with secret, get token
2. Consume API, include token in requests
Limit shared-secret exposure by negotiating temporary token
![Page 10: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/10.jpg)
10 API Security and Federation Patterns
E.g. OAuth client credentials grant type
In this grant type, the application presents its own credentials to get a token.– No concept of user identity
Alternatives– Present client credentials with every API call (over secure channel)– HMAC signatures for every API call
Only for confidential clients
No refresh token in this case
![Page 11: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/11.jpg)
11 API Security and Federation Patterns
E.g. OAuth password grant type (ropc)
Resource-owner password credentials– For trusted apps only– For public or confidential clients– Optimal UX on mobile apps
1. App collects user credentials
3. App gets back token(s)
2. App uses creds in call to token endpoint
Email: _______Passwd: _______
[Login]
POST /token[Authorization: Basic optional]Content-Type: application/x-www-form-urlencodedgrant_type=password&username=franco&password=blah
Content-Type: application/json
{ "access_token":”foo”, "expires_in":3600, ["refresh_token":”optional”]}
![Page 12: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/12.jpg)
12 API Security and Federation Patterns
Redirection-based handshakes
![Page 13: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/13.jpg)
13 API Security and Federation Patterns
Redirection-based handshakes – Why?
Avoid the password sharing anti-pattern
Please provide your cc account info:• Username• Password
Pretend to be userPull statement
Expense system
Online statement
This seems wrong
![Page 14: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/14.jpg)
14 API Security and Federation Patterns
RBH – step 1
RedirectAuthenticate locally (if needed)Express consent
(Authorization server)
![Page 15: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/15.jpg)
15 API Security and Federation Patterns
RBH – step 2
Redirect back
Receive code
(callback address)
- User did not share passwd with app
![Page 16: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/16.jpg)
16 API Security and Federation Patterns
RBH – step 3
Much better…
I can haz token?
Call API(with token)
- Application now accesses data on behalf of user
tmp code
access token
![Page 17: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/17.jpg)
17 API Security and Federation Patterns
E.g. OAuth 2.0 code, implicit
OAuth 2.0 core specifies two variations on a redirection-based handshake
1. Authorization code– As we just described
2. Implicit– No temporary code– App gets token directly through redirect back from authorization server
![Page 18: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/18.jpg)
18 API Security and Federation Patterns
Social Login
An application delegates user authentication to a social platform– Enhanced user experience– Remove burden of managing shared secrets with users
![Page 19: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/19.jpg)
19 API Security and Federation Patterns
Social Login – Step 1
User click Login with [Social provider]– Redirected to Social provider’s authorization server
User authenticated, expresses consent
Do you authorize app to get basic info about you?
Yes [x]No [ ]
![Page 20: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/20.jpg)
20 API Security and Federation Patterns
Social Login – Step 2
++token
User expresses consent– Redirected back to the application– Application now has OAuth access token to call API on behalf of user
![Page 21: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/21.jpg)
21 API Security and Federation Patterns
Social Login – Step 3
App calls [Social provider]’s api– User_info endpoint– Discovers identity of user– Attaches it to session between app and user-agent
Who was this? [access_token]
{ ‘sub’: ‘franco’, ‘email’: ‘[email protected]’…}user_info
![Page 22: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/22.jpg)
22 API Security and Federation Patterns
Social Login -> OpenID Connect
API Provider -> IdP
In this case, the API provided is there to enable the federated authentication
This pattern is specified in standard OpenID Connect– Extends OAuth 2.0– Describes user_info, ID token based on JWT, …
Web-friendly and modern alternative to SAML web browser SSO– No SAML, no XML, no digital signatures,…
![Page 23: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/23.jpg)
23 API Security and Federation Patterns
Nested handshakes
When users interact with an authorization server, they need to be authenticated
What happens when the API provider wants to delegate authentication to a social login/openid connect provider?
Username: _________Password: _________ [Login]
Log in with [Google] [facebook] […]
Step 1App wants to consume API on behalf of user, redirects to API provider’s authorization server to get back access token
app
![Page 24: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/24.jpg)
24 API Security and Federation Patterns
Nested handshakes
Step 2User redirected to IdP of choice so that the first authorization server gets an access token from the 2nd authorization server
Do you authorize app* to get basic info about you?
Yes [x]No [ ]
app
![Page 25: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/25.jpg)
25 API Security and Federation Patterns
Nested handshakes
Step 3User redirected back, its identity now known to the first authorization server, expresses consent.
Do you authorize app* to [scope] on your behalf?
Yes [x]No [ ]
app
![Page 26: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/26.jpg)
26 API Security and Federation Patterns
Nested handshakes
Step 4User redirected back to app. Nested handshakes complete.
Two apps, two access tokens
![Page 27: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/27.jpg)
27 API Security and Federation Patterns
Federated handshakes
Application already has a ‘proof-of-authentication’, needs to consume API on behalf of user– Login using SAML on a web app– OpenID Connect
No redirection, no credentials
?<saml>{jwt}
![Page 28: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/28.jpg)
28 API Security and Federation Patterns
Federated handshakes
SAML Bearer Grant– urn:ietf:params:oauth:grant-type:samXX-bearer
<saml>
access_token
JWT Bearer Grant– urn:ietf:params:oauth:grant-type:jwt-bearer
{jwt}
access_token
![Page 29: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/29.jpg)
29 API Security and Federation Patterns
Example: Domain of apps sharing an auth context
A domain of apps on a mobile device share an auth context– OpenID Connect -> JWT
Each app gets its own access token– urn:ietf:params:oauth:grant-type:jwt-bearer
Single sign-on experience
OpenID Connect
JWT Bearer GrantGroup KeyChain
Mobile appsAPI Provider
![Page 30: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/30.jpg)
30 API Security and Federation Patterns
Other ‘extension’ handshakes
Challenge-response grant– One-time passwords– Risk-based, context-based auth– Multi-factor
[Insert Secret] bearer grant– Cookie– …
![Page 31: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/31.jpg)
31 API Security and Federation Patterns
Threats and Mitigation
![Page 32: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/32.jpg)
32 API Security and Federation Patterns
Fishing attacks
Risk associated with redirection-based handshakes– Malicious ‘application’ pretends to be legitimate– Inserts its own endpoint in callback address– Gets token
(especially implicit grant)
GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]
Do you authorize Legitimate app to access API on your behalf?
[X] Yes[ ] No
Tricked you
![Page 33: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/33.jpg)
33 API Security and Federation Patterns
Fishing mitigation 101
Register and validate redirection URIs
Strict validation (not partial)
Never skip consent step
GET /authorize?response_type=token&client_id=legitimate&redirect_uri=[malicious]
ErrorInvalid callback
foiled
(out-of-band)Register Legitimate appCallback=foo
![Page 34: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/34.jpg)
34 API Security and Federation Patterns
Fishing on mobile
On the web, the user-agent is responsible for redirecting to the callback address– On the web, DNS resolves addresses and HTTPS validates server-side
trust
With native mobile apps, each app registers its own URL scheme instead
APPLE:“If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ”--link
![Page 35: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/35.jpg)
35 API Security and Federation Patterns
Public vs confidential clients
It’s either confidential, or it isn’t– Don’t ‘hide’ a secret on a public app
store or render on a web page
(badly hidden witch)
![Page 36: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/36.jpg)
36 API Security and Federation Patterns
Client confidentiality does strengthen security
Assigned secrets to clients (when appropriate) adds security– E.g. compromised refresh token:
foiled
1. Compromised access tokens, refresh tokens
2. Exploit stolen token for x minutes
3. Token expired
4. Attempt to get fresh token (using refresh token)
5. Authentication required
![Page 37: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/37.jpg)
37 API Security and Federation Patterns
Bearer vs MAC tokens
Bearer MAC
App developer
Tough choice
Adoption!
![Page 38: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/38.jpg)
38 API Security and Federation Patterns
Bearer, use responsibly
App developerAPI PublisherOAuth Server Impl
- Don’t render them where they can be copied from.- Store them securely.- Server-side trust
- Don’t log them.- Forget original (hash them).
Bearer tokens are easier but need to be used responsibly– Exchanged and used over a secure channel
tokens in query strings
![Page 39: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/39.jpg)
39 API Security and Federation Patterns
MAC, is it really more secure?
Pros– Better protected against man-in-the-middle– If a request is intercepted, no big deal
Cons– You have to keep two secrets safe on the server side (per client)
![Page 40: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/40.jpg)
40 API Security and Federation Patterns
Managing API Security
• Authorization Server• Policy Enforcement Point• Resource Server• ALFW• …
Decouple
Protect
Extend framework to
client app Integrate
• Web SSO• Analytics• Dev/User Portal• …
Configure, not code
![Page 41: API Security & Federation Patterns - Francois Lascelles, Chief Architect, Layer 7 @ QCon SF](https://reader037.vdocuments.us/reader037/viewer/2022110306/554a26f6b4c90526578b4a39/html5/thumbnails/41.jpg)
Thank you
QCon SF 2013Francois Lascelles, Chief Architect, Layer 7 Technologies