api security : patterns and practices

Prabath Siriwardena Director of Security Architecture WSO2 API Security Patterns and Practices

Upload: prabath-siriwardena

Post on 09-Feb-2017




2 download


Page 1: API Security : Patterns and Practices

Prabath SiriwardenaDirector of Security ArchitectureWSO2

API Security Patterns and Practices

Page 2: API Security : Patterns and Practices

API Ecosystem

Page 3: API Security : Patterns and Practices

Gateway Pattern

• Decouple clients from the actual API implementation

• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling

Page 4: API Security : Patterns and Practices

Six key attributes of a secured design

• Only legitimate users can access the system (authentication)

• The system won’t allow users to do anything more than what they are supposed to do (authorization)

• Confidential data can only be seen by the intended recipients, nobody else (confidentiality)

• Integrity of the transactions are protected (integrity)• Protected for non-repudiation• They system is available for legitimate users to access,

all the time (availability)

Page 5: API Security : Patterns and Practices

Direct Authentication

• HTTP Basic Authentication• HTTP Digest Authentication• TLS Mutual Authentication• OAuth 2.0 (for authentication ?)

Page 6: API Security : Patterns and Practices

HTTP Basic Authentication

curl -I-u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’-d '{"name": "my_github_repo"}' https://api.github.com/user/repos

Creating a GitHub repository

Page 7: API Security : Patterns and Practices

HTTP Digest Authenticationcurl -k –-digest –u userName:password -v https://localhost:8443/recipe

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

Page 8: API Security : Patterns and Practices

HTTP Basic vs. Digest Authentication

Page 9: API Security : Patterns and Practices

TLS Mutual Authentication

Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server.

curl -k --cert client.pem https://localhost:8443/recipe

Page 10: API Security : Patterns and Practices

OAuth 2.0 (authorization code grant type)

Page 11: API Security : Patterns and Practices

OAuth 2.0 (implicit grant type)

Page 12: API Security : Patterns and Practices

OAuth 2.0 (password grant type)

Page 13: API Security : Patterns and Practices

OAuth 2.0 (client credentials grant type)

Page 14: API Security : Patterns and Practices

OAuth 2.0 (chained grant type)

Page 15: API Security : Patterns and Practices

OAuth 2.0 Tokens Access Tokens

Bearer tokens vs. Mac TLS is a must Pass the access token in the HTTP Authorization header

Authorization: Bearer <token> Pass the access token in as a URL query parameter

Avoid this Request Cache-Control: no-store Response Cache-Control: private E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.

Shorter life-time – in minutes or hours Do not store in cookies Issue scoped tokens

Page 16: API Security : Patterns and Practices

OAuth 2.0 Tokens Refresh Tokens

Must use TLS Long-lasting No refresh tokens under

implicit grant type client credentials grant type SAML grant type JWT grant type

Page 17: API Security : Patterns and Practices

Self-contained Access Tokens

JWT RFC 7519 Encodes claims to be transmitted as a JSON object Can be signed using JWS (JSON Web Signature) Can be encrypted using JWE (JSON Web Encryption) Represented as a sequence of URL-safe parts separated by period

('.') characters. Each part contains a base64url-encoded value

Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

Page 18: API Security : Patterns and Practices

Self-issued Access Tokens

Same as self-contained access tokens Issued by the client itself

Page 19: API Security : Patterns and Practices

Brokered Authentication

• TLS Mutual Authentication• OAuth 2.0

Page 20: API Security : Patterns and Practices

OAuth 2.0 (decoupling end user authentication from the authorization server)

Page 21: API Security : Patterns and Practices

OAuth 2.0 (SAML grant type)

Page 22: API Security : Patterns and Practices

OAuth 2.0 (JWT grant type)

Page 23: API Security : Patterns and Practices

OAuth 2.0 (External Client)

Page 24: API Security : Patterns and Practices


Page 25: API Security : Patterns and Practices


Page 26: API Security : Patterns and Practices


A given access token has a scope associated with it and it governs the access token’s capabilities

A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.

token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities

Page 27: API Security : Patterns and Practices

Token Introspection

POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3


{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}

Page 28: API Security : Patterns and Practices

XACML Policy<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>

Page 29: API Security : Patterns and Practices

XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>

Page 30: API Security : Patterns and Practices



Page 31: API Security : Patterns and Practices



Page 32: API Security : Patterns and Practices



Page 33: API Security : Patterns and Practices

High Availability

• Network level measures• Throttling• Client level• User level

Page 34: API Security : Patterns and Practices

Thank You