2. .com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best practices
• Developer tools, SDKs, libraries
7. 3. Resubmit Request
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Learn more at Stormpath.com
8. Authorization Header Format
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Scheme Name Scheme-specific Value
sp
Learn more at Stormpath.com
9. 4. Successful Response
HTTP/1.1 200 OK
Content-Type: application/json
...
{
“email”: “jsmith@gmail.com”,
“givenName”: “Joe”,
“surname”: Smith”,
...
}
Learn more at Stormpath.com
10. Example: Oauth 1.0a
GET /accounts/1234 HTTP/1.1
Host: api.acme.com
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
Learn more at Stormpath.com
11. Example: Oauth 2
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: Bearer mF_9.B5f-4.1JqM
Learn more at Stormpath.com
12. Example: Oauth 2 MAC
GET /accounts/x2b4jX3l31uiL HTTP/1.1
Host: api.acme.com
Authorization: MAC id="h480djs93hd8",
nonce="264095:dj83hs9s”,
mac="SLDJd4mg43cjQfElUs3Qub4L6xE="
Learn more at Stormpath.com
13. Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really,
really know what you’re doing.
Learn more at Stormpath.com
15. 401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re
not allowed!”
Learn more at Stormpath.com
17. HTTP Authorization
• After authc, perform authz
• Filter requests before invoking MVC layer
• Blanket security policies
• Per-URI customization
Learn more at Stormpath.com
18. HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X’s email address please?”
NOT:
• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for
authentication (OpenId Connect)
Learn more at Stormpath.com
19. HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to read
• When Oauth 2 isn’t as good of a fit:
• If your REST client owns the data it is
reading
• Could still be fine if you’re willing to incur
some additional overhead
Learn more at Stormpath.com
20. HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO
Learn more at Stormpath.com
23. API Keys, Not Passwords
• Entropy
• Independence
• Speed
• Reduced Exposure
• Traceability
• Rotation
Learn more at Stormpath.com
24. API Keys cont’d
• Authenticate every request
• Encrypt API Key secret values at rest.
• Avoid Sessions (not RESTful)
• Authc every request + no sessions = no
XSRF attacks
Learn more at Stormpath.com
27. Identifiers
• Should be opaque
• Secure Random or Random/Time UUID
• URL-friendly ‘Base62’ encoding
• Avoid sequential numbers:
• distribute ID generation load
• mitigate fusking attacks
Learn more at Stormpath.com
29. Query Injection
Vulnerable URL:
foo.com/accounts?acctId=‘ or ‘1’=‘1
String query =
“select * from accounts where acct_id = ‘” +
request.getParameter(“acctId”) + “’”;
Solution
• Use Parameterized Query API (Prepared
Statements).
• If not available, escape special chars
Learn more at Stormpath.com
31. Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for the current user.
foo.com/redirect.jsp?url=evil.com
foo.com/whatever.jsp?fwd=admin.jsp
Learn more at Stormpath.com
33. TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’
flags for secure cookies
• Backend/infrastructure connections use
TLS too
Learn more at Stormpath.com
34. TLS Cont’d
• Configure your SSL provider to only support
strong (FIPS 140-2 compliant) algorithms
• Use Cipher Suites w/ Perfect Forward
Secrecy!
–e.g.
ECDHE_RSA_WITH_AES_256_GCM_SHA256
• Keep your TLS certificates valid
• But beware, TLS isn’t foolproof
– App-level encryption + TLS for most secure
results
Learn more at Stormpath.com
36. Configuration
• CI: Security Testing
• Security Patches
• Regularly scan/audit
• Same config in Dev, Prod, QA*
– (Docker is great for this!)
• Externalize passwords/credentials
* Except credentials of course
Learn more at Stormpath.com
40. .com
• Free for developers
• Eliminate months of development
• Automatic security best practices
Sign Up Now: Stormpath.com
Learn more at Stormpath.com