securing restful payment apis using oauth 2
DESCRIPTION
Audio from this session is available at https://archive.org/details/rest_apis_with_oauth2 Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.TRANSCRIPT
Using OAuth 2
Securing RESTful Payment APIs
Jonathan LeBlancPrincipal Developer Evangelist (PayPal)
Github: http://github.com/jcleblancTwitter: @jcleblanc
The Ultimate Decision
Security Usability
REST Arc
hitect
ure
What a RESTful API isn’t
Our API is RESTful, we support GET, PUT, POST, and DELETE requests
No…actually you just support HTTP…like the rest of the web.
What a RESTful API is
Honor HTTP request verbs
Use proper HTTP status codes
No version numbering in URIs
Return format via HTTP Accept header
Double Rainbow: Discovery via HATEOAS
Does Anyone Actually Do That?
Very few APIs follow pragmatic REST principles
"links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" }]
Adding a
n Auth
Mech
anism
When You Need Access Security
A Few Different Flavors of Usage
User login (authentication)
Application only (bearer tokens)
User Involvement (authorization)
Our App Usage: Bearer Tokens
A Pra
ctica
l Im
plem
entatio
n
Making Your Definitions
<?phpdefine("CLIENT_ID", "YOUR CLIENT ID");define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/");define("URI_LIVE", "https://api.paypal.com/v1/");?>
class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; }
…}
private function curl($url, $method = 'GET', $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }
$options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response;}
Making a Call with the Token
public function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, 'POST', $postvals);}
The Last Considerations
REST and OAuth are specifications, not religions
Don’t alienate your developers with security
Open source is your friend
www.slideshare.com/jcleblanc
Thank You! Questions?
Jonathan LeBlancPrincipal Developer Evangelist (PayPal)
Github: http://github.com/jcleblancTwitter: @jcleblanc