secure your apis & microservices with oauth & openid connect€¦ · üall api conferences...
TRANSCRIPT
![Page 1: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/1.jpg)
Secure your APIs & Microservices with OAuth &
OpenID Connect
Copyright © 2018 Curity AB
By Travis Spencer, CEO@travisspencer, @curityio
![Page 2: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/2.jpg)
üAll API ConferencesüAPI CommunityüActive blogosphere
Organizers and founders
Austin API SummitJune 11 – 13 | Austin, Texas
2018 Platform SummitOctober 22 - 24 | Stockholm, Sweden
![Page 3: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/3.jpg)
API Security == API Keys
• Problem Solved!
@travis / @curityio Copyright © 2018 Curity AB
![Page 4: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/4.jpg)
API Security != API Keys
• Revocable, non-expiring, bearer access tokens• Symmetric keys• Passwords!
@travis / @curityio Copyright © 2018 Curity AB
![Page 5: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/5.jpg)
API Security == OAuth
• Problem solved for real this time?
Not that easy! Sorry L@travis / @curityio Copyright © 2018 Curity AB
![Page 6: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/6.jpg)
Crucial Security Concerns
Enterprise Security API Security Mobile Security
@travis / @curityio Copyright © 2018 Curity AB
![Page 7: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/7.jpg)
Identity is Central
Mobile Security
EnterpriseSecurity
API Security
MDM MAM
AuthZ
@travis / @curityio Copyright © 2018 Curity AB
![Page 8: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/8.jpg)
The Neo-security Stack
JSON Identity Suite
OpenID Connect
SCIM
OAuth 2
Provisioning
Identities
Federation
Delegated Access
Authorization
U2FAuthentication
@travis / @curityio Copyright © 2018 Curity AB
![Page 9: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/9.jpg)
OAuth
• OAuth 2 is the new protocol of protocols• Used as the base of other specifications• OpenID Connect, UMA, HEART, etc.
• Addresses some important requirements• Delegated access• No password sharing• Revocation of access
@travis / @curityio Copyright © 2018 Curity AB
![Page 10: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/10.jpg)
OAuth Actors
1. Resource Owner (RO)2. Client3. Authorization Server (AS)4. Resource Server (RS) (i.e., API) Get a token
Use a token
@travis / @curityio Copyright © 2018 Curity AB
![Page 11: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/11.jpg)
Request, Authenticate & Consent
Request Access Login Consent
@travis / @curityio Copyright © 2018 Curity AB
![Page 12: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/12.jpg)
User is redirected to OAuth server
Code Flow
APIs & microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 13: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/13.jpg)
User logs in and delegates access
Code Flow
APIs & microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 14: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/14.jpg)
Code Flow
Short-lived access code is issued to client
APIs & microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 15: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/15.jpg)
Code Flow
Code is exchanged for an access token
APIs & microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 16: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/16.jpg)
Code Flow
Access token can be used to call APIs
APIs & microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 17: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/17.jpg)
Scopes
• Like permissions• Scopes specify extent of tokens’ usefulness• Listed on consent UI (if shown)• No standardized scopes
@travis / @curityio Copyright © 2018 Curity AB
![Page 18: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/18.jpg)
Kinds of Tokens
Like a session
Refresh TokensAccess Tokens
Like a PasswordUsed to secure API calls Used to get new access tokens
@travis / @curityio Copyright © 2018 Curity AB
![Page 19: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/19.jpg)
Profiles of Tokens
Holder of Key
HoK tokens are like credit cards
Bearer
Bearer tokens are like cash
$
@travis / @curityio Copyright © 2018 Curity AB
![Page 20: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/20.jpg)
Types of Tokens
• WS-Security & SAML• Custom• Home-grown• Oracle Access Manager• SiteMinder
• CBOR Web Tokens (CWT)• JWT
@travis / @curityio Copyright © 2018 Curity AB
![Page 21: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/21.jpg)
JWT Type Tokens
• Pronounced like the English word “jot”• Lightweight tokens passed in HTTP headers & query strings• Encoded as JSON• Compact • Encrypted, signed, or neither• Not the only kind of token allowed by OAuth
@travis / @curityio Copyright © 2018 Curity AB
![Page 22: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/22.jpg)
Passing Tokens
By Value
User attributes are in the token
By Reference
User attributes are referenced by an
identifier
@travis / @curityio Copyright © 2018 Curity AB
![Page 23: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/23.jpg)
Improper Usage of OAuth
Not for authentication
Not for federation
Not really for authorization
@travis / @curityio Copyright © 2018 Curity AB
![Page 24: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/24.jpg)
Proper Usage or OAuth
For delegation
@travis / @curityio Copyright © 2018 Curity AB
![Page 25: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/25.jpg)
OpenID Connect• Next generation federation
protocol • Based on OAuth 2• Made for mobile• Not backward compatible
• Client & API receive tokens• User info endpoint provided for
client to get user data
@travis / @curityio Copyright © 2018 Curity AB
![Page 26: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/26.jpg)
OpenID Connect Examples
Get user info using access token
OAuth AS / OpenID Provider RP / Client
Browser
Access code
Send code to get access token
Access token & ID token
Check audience restriction of ID token
Request login, providing “openid” scope & user info
scopes
User info
@travis / @curityio Copyright © 2018 Curity AB
![Page 27: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/27.jpg)
ID Token is for the Client
• Access token is for API• ID token is for client• ID token provides client with info about• Intended client recipient• Username • Credential used to login• Issuer of token• Expiration time
@travis / @curityio Copyright © 2018 Curity AB
![Page 28: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/28.jpg)
User Info Endpoint
• Token issuance and user discovery endpoint• Authenticate using access token issued by
OpenID Provider• Output depends on requested and
authorized scopes• sub claim must match sub claim in ID token
@travis / @curityio Copyright © 2018 Curity AB
![Page 29: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/29.jpg)
Applied to Microservices and APIs
@travis / @curityio Copyright © 2018Curity AB
![Page 30: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/30.jpg)
A Traditional Service
@travis / @curityio Copyright © 2018 Curity AB
![Page 31: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/31.jpg)
With Traditional Subsystems
ComponentC
ComponentD
ComponentA
ComponentB
@travis / @curityio Copyright © 2018 Curity AB
![Page 32: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/32.jpg)
… and traditional scalability
@travis / @curityio Copyright © 2018 Curity AB
![Page 33: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/33.jpg)
But this is not always how we build systems
@travis / @curityio Copyright © 2018 Curity AB
![Page 34: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/34.jpg)
One Microservice
@travis / @curityio Copyright © 2018 Curity AB
![Page 35: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/35.jpg)
Many Microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 36: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/36.jpg)
Scaling Microservices
@travis / @curityio Copyright © 2018 Curity AB
![Page 37: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/37.jpg)
Securing Traditional Services
@travis / @curityio Copyright © 2018 Curity AB
![Page 38: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/38.jpg)
Securing Traditional Services
User repository
@travis / @curityio Copyright © 2018 Curity AB
![Page 39: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/39.jpg)
So for microservices that would mean…
User repository
@travis / @curityio Copyright © 2018 Curity AB
![Page 40: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/40.jpg)
Remember our two token passing methods?
By Value
User attributes are in the token
By Reference
User attributes are referenced by an
identifier
@travis / @curityio Copyright © 2018 Curity AB
![Page 41: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/41.jpg)
By Reference
Contains NO information outside the network
@travis / @curityio Copyright © 2018 Curity AB
![Page 42: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/42.jpg)
By Value
Contains ALL necessary information
@travis / @curityio Copyright © 2018 Curity AB
![Page 43: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/43.jpg)
External vs. Internal
By Value
Outside the network
By Reference
Inside the network
APIs &Services
API Firewall /Reverse Proxy
@travis / @curityio Copyright © 2018 Curity AB
![Page 44: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/44.jpg)
Token Translation
By Value
Inside the network
By Reference
Outside the network
APIs &Services
API Firewall /Reverse Proxy
@travis / @curityio Copyright © 2018 Curity AB
![Page 45: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/45.jpg)
Demo
@travis / @curityio Copyright © 2018 Curity AB
![Page 46: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/46.jpg)
Additional Resources
• Blog posts• bit.ly/oauth-deep-dive• bit.ly/4-api-security-defenses• bit.ly/building-secure-api• bit.ly/right-api-armor• https://bit.ly/2qn8Jj4
§ Videos§ bit.ly/oauth-in-depth§ bit.ly/micro-services-security§ bit.ly/building-secure-api-video
§ Whitepaper at our booth§ https://nordicapis.com/api-
insights/security/
@travis / @curityio Copyright © 2018 Curity AB
![Page 47: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/47.jpg)
Summary
• API security > API keys & OAuth• OAuth 2 fundamentals• Token types• Profiles• Passing tokens
• Building OpenID Connect on OAuth• Using those with microservices & for user-based delegation
@travis / @curityio Copyright © 2018 Curity AB
![Page 48: Secure your APIs & Microservices with OAuth & OpenID Connect€¦ · üAll API Conferences üAPI Community üActive blogosphere Organizers and founders Austin API Summit June 11 –](https://reader036.vdocuments.us/reader036/viewer/2022070807/5f05c21b7e708231d4148f22/html5/thumbnails/48.jpg)
Visit curity.io and stop by our booth
@travis / @curityio Copyright © 2018 Curity AB