SlideShare uma empresa Scribd logo

API Security and Federation Patterns

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1iq4lYa. Francois Lascelles examines the role of API management infrastructure in API Security, API Access Control and API Federation and its interaction with enterprise infrastructure, social identity and application developers. Filmed at qconsf.com. Francois Lascelles is a subject matter expert on API security and the application of standards such as OAuth and OpenID Connect. As Layer 7’s Chief Architect, he guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology.

TecnologiaNotícias e política
1 de 44
API  Security  and   Federa1on  Pa3erns   QCon  San  Francisco  -­‐  November  13,  2013   Francois  Lascelles,  Chief  Architect,  Layer  7  Technologies                                        #qconsf    #OAuth                          @flascelles  
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /api-security-federation-patterns InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
Agenda   §  Introduc1on   §  API  Security  Components   §  Authoriza1on  Server  Pa3erns   –  –  –  –  –  Two-­‐way  token  issuing   Redirec1on-­‐based  token  issuing   Nested  handshakes   Federated  handshakes   Other  extension  handshakes   §  Vulnerabili1es  and  Mi1ga1on   –  Fishing  a3acks   –  Public  vs  Confiden1al  clients   –  Bearer  vs  MAC  token  types   §  Managing  API  Security   2   API  Security  and  Federa1on  Pa3erns  
Informa=on  fragmenta=on   –  Users  and  organiza1ons  interact  with  IT  assets  fragmented  across   an  increasing  number  of  service  providers,  applica1ons  and   devices   Your  Org   –  In  isola1on,  each  asset  provides  limited  value   3   API  Security  and  Federa1on  Pa3erns  
Applica=on-­‐to-­‐applica=on  interac=on   –  APIs  let  providers  and  applica1ons  interact   §  HTTP! §  REST! §  OData! §  XML/JSON! §  Web Services! 4   API  Security  and  Federa1on  Pa3erns  
Secure  API  exchange   –  These  APIs  deal  with  personal  and/or  sensi1ve  informa1on  and  need  to   be  secured   §  Confiden1ality   §  Integrity   §  Availability   §  …   5   API  Security  and  Federa1on  Pa3erns  
Interac=ons  on  behalf  of  users   –  OAuth  lets  users  and  organiza1ons  control  these  interac1ons   §  Express  consent   §  Limit  scope   §  Turn  on/off   6   API  Security  and  Federa1on  Pa3erns  
API  security  logical  components   IdP   User   Authoriza1on  Server   Applica1on   Token  Server   Policy  Enforcement  Point   Resource  Server   7   API  Security  and  Federa1on  Pa3erns   API  Endpoint  
Authoriza=on  server  paGerns   Let  us  count  the  ways…   8   API  Security  and  Federa1on  Pa3erns  
Two-­‐way  handshakes   §  Limit  shared-­‐secret  exposure  by  nego1a1ng  temporary  token   1.  Authen1cate  with  secret,  get  token   2.  Consume  API,  include  token  in  requests   9   API  Security  and  Federa1on  Pa3erns  
E.g.  OAuth  client  creden=als  grant  type   §  In  this  grant  type,  the  applica1on  presents  its  own  creden1als   to  get  a  token.   –  No  concept  of  user  iden1ty   §  Alterna1ves   –  Present  client  creden1als  with  every  API  call  (over  secure  channel)   –  HMAC  signatures  for  every  API  call   §  Only  for  confiden1al  clients   §  No  refresh  token  in  this  case   10   API  Security  and  Federa1on  Pa3erns  
E.g.  OAuth  password  grant  type  (ropc)   §  Resource-­‐owner  password  creden1als   –  For  trusted  apps  only   –  For  public  or  confiden1al  clients   –  Op1mal  UX  on  mobile  apps   1.  App  collects  user  creden1als   POST /token! [Authorization: Basic optional]! Content-Type: application/x-www-formurlencoded! grant_type=password&username=franco&pass word=blah! Email:  _______   Passwd:  _______      [Login]   3.  App  gets  back  token(s)   Content-Type: application/json { 11   2.  App  uses  creds  in  call  to  token   endpoint   "access_token":”foo”, "expires_in":3600, ["refresh_token":”optional”] }! API  Security  and  Federa1on  Pa3erns  
Redirec=on-­‐based  handshakes   12   API  Security  and  Federa1on  Pa3erns  
Redirec=on-­‐based  handshakes  –  Why?   §  Avoid  the  password  sharing  an1-­‐pa3ern   Online   statement   Pretend  to  be  user   Pull  statement   Please  provide  your  cc  account  info:   •  Username   •  Password     This  seems   wrong   13   Expense   system   API  Security  and  Federa1on  Pa3erns  
RBH  –  step  1   (Authoriza1on  server)   Authen1cate  locally  (if  needed)   Express  consent   14   Redirect   API  Security  and  Federa1on  Pa3erns  
RBH  –  step  2   -­‐  User  did  not  share   passwd  with  app   Redirect   back   15   Receive   code   API  Security  and  Federa1on  Pa3erns   (callback  address)  
RBH  –  step  3   tmp  code   I  can  haz   token?   access  token   Call  API   (with  token)   -­‐  Applica1on  now  accesses   Much   be3er…   16   data  on  behalf  of  user   API  Security  and  Federa1on  Pa3erns  
E.g.  OAuth  2.0  code,  implicit   OAuth  2.0  core  specifies  two  varia1ons  on  a  redirec1on-­‐based   handshake   1.  Authoriza1on  code   –  As  we  just  described   2.  Implicit   –  No  temporary  code   –  App  gets  token  directly  through  redirect  back  from  authoriza1on  server   17   API  Security  and  Federa1on  Pa3erns  
Social  Login   §  An  applica1on  delegates  user  authen1ca1on  to  a  social   plamorm   –  Enhanced  user  experience   –  Remove  burden  of  managing  shared  secrets  with  users   18   API  Security  and  Federa1on  Pa3erns  
Social  Login  –  Step  1   §  User  click  Login  with  [Social  provider]   –  Redirected  to  Social  provider’s  authoriza1on  server   §  User  authen1cated,  expresses  consent   Do  you  authorize  app  to  get  basic  info   about  you?   Yes    [x]   No      [    ]   19   API  Security  and  Federa1on  Pa3erns  
Social  Login  –  Step  2   §  User  expresses  consent   –  Redirected  back  to  the  applica1on   –  Applica1on  now  has  OAuth  access  token  to  call  API  on  behalf  of  user     ++token   20   API  Security  and  Federa1on  Pa3erns  
Social  Login  –  Step  3   §  App  calls  [Social  provider]’s  api   –  User_info  endpoint   –  Discovers  iden1ty  of  user   –  A3aches  it  to  session  between  app  and  user-­‐agent   Who  was  this?  [access_token]   user_info   21   {  ‘sub’:  ‘franco’,  ‘email’:  ‘flascelles@gmail.com’…}     API  Security  and  Federa1on  Pa3erns  
Social  Login  -­‐>  OpenID  Connect   §  In  this  case,  the  API  provided  is  there  to  enable  the  federated   authen1ca1on   §  This  pa3ern  is  specified  in  standard  OpenID  Connect   –  Extends  OAuth  2.0   –  Describes  user_info,  ID  token  based  on  JWT,  …   §  Web-­‐friendly  and  modern  alterna1ve  to  SAML  web  browser   SSO   –  No  SAML,  no  XML,  no  digital  signatures,…   API  Provider  -­‐>  IdP   22   API  Security  and  Federa1on  Pa3erns  
Nested  handshakes   §  When  users  interact  with  an  authoriza1on  server,  they  need   to  be  authen1cated   §  What  happens  when  the  API  provider  wants  to  delegate   authen1ca1on  to  a  social  login/openid  connect  provider?   Username:  _________   Password:    _________    [Login]     Log  in  with  [Google]  [facebook]  […]     23   API  Security  and  Federa1on  Pa3erns   Step  1   App  wants  to  consume  API   on  behalf  of  user,  redirects   to  API  provider’s   authoriza1on  server  to  get   back  access  token   app  
Nested  handshakes   Step  2   User  redirected  to  IdP  of  choice  so  that  the  first   authoriza1on  server  gets  an  access  token  from  the   2nd  authoriza1on  server   app   Do  you  authorize  app*  to  get  basic  info   about  you?   Yes    [x]   No      [    ]   24   API  Security  and  Federa1on  Pa3erns  
Nested  handshakes   Step  3   User  redirected  back,  its  iden1ty  now  known  to  the   first  authoriza1on  server,  expresses  consent.   Do  you  authorize  app*  to  [scope]  on   your  behalf?   Yes    [x]   No      [    ]   25   API  Security  and  Federa1on  Pa3erns   app  
Nested  handshakes   Step  4   User  redirected  back  to  app.  Nested  handshakes   complete.   Two  apps,  two  access  tokens   26   API  Security  and  Federa1on  Pa3erns  
Federated  handshakes   §  Applica1on  already  has  a  ‘proof-­‐of-­‐authen1ca1on’,  needs  to   consume  API  on  behalf  of  user   –  Login  using  SAML  on  a  web  app   –  OpenID  Connect   §  No  redirec1on,  no  creden1als   <saml>   {jwt}   27   ?   API  Security  and  Federa1on  Pa3erns  
Federated  handshakes   §  SAML  Bearer  Grant   –  urn:ietf:params:oauth:grant-type:samXX-bearer   <saml>   access_token   §  JWT  Bearer  Grant   –  urn:ietf:params:oauth:grant-type:jwt-bearer   {jwt}   access_token   28   API  Security  and  Federa1on  Pa3erns  
Example:  Domain  of  apps  sharing  an  auth  context   §  A  domain  of  apps  on  a  mobile  device  share  an  auth  context   –  OpenID  Connect  -­‐>  JWT   §  Each  app  gets  its  own  access  token   –  urn:ietf:params:oauth:grant-type:jwt-bearer! §  Single  sign-­‐on  experience   OpenID  Connect   JWT  Bearer  Grant   Group  KeyChain   API  Provider   Mobile  apps   29   API  Security  and  Federa1on  Pa3erns  
Other  ‘extension’  handshakes   §  Challenge-­‐response  grant   –  One-­‐1me  passwords   –  Risk-­‐based,  context-­‐based  auth   –  Mul1-­‐factor   §  [Insert  Secret]  bearer  grant   –  Cookie   –  …   30   API  Security  and  Federa1on  Pa3erns  
Threats  and  Mi=ga=on   31   API  Security  and  Federa1on  Pa3erns  
Fishing  aGacks   §  Risk  associated  with  redirec1on-­‐based  handshakes   –  Malicious  ‘applica1on’  pretends  to  be  legi1mate   –  Inserts  its  own  endpoint  in  callback  address   –  Gets  token   §  (especially  implicit  grant)   Do  you  authorize  Legi1mate   app  to  access  API  on  your   behalf?     [X]  Yes   [    ]    No   Tricked   you   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious]! 32   API  Security  and  Federa1on  Pa3erns  
Fishing  mi=ga=on  101   §  Register  and  validate  redirec1on  URIs   §  Strict  valida1on  (not  par1al)   §  Never  skip  consent  step   (out-­‐of-­‐band)   Register  Legi1mate  app   Callback=foo   foiledL   Error    Invalid  callback   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious]! 33   API  Security  and  Federa1on  Pa3erns  
Fishing  on  mobile   §  On  the  web,  the  user-­‐agent  is  responsible  for  redirec1ng  to   the  callback  address   –  On  the  web,  DNS  resolves  addresses  and  HTTPS  validates  server-­‐side   trust   §  With  na1ve  mobile  apps,  each  app  registers  its  own  URL   scheme  instead   APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ” --link 34   API  Security  and  Federa1on  Pa3erns  
Public  vs  confiden=al  clients   §  It’s  either  confiden1al,  or  it  isn’t   –  Don’t  ‘hide’  a  secret  on  a  public  app   store  or  render  on  a  web  page   (badly  hidden  witch)   35   API  Security  and  Federa1on  Pa3erns  
Client  confiden=ality  does  strengthen  security   §  Assigned  secrets  to  clients  (when  appropriate)  adds  security   –  E.g.  compromised  refresh  token:   1.  Compromised   access  tokens,   refresh   foiledL  tokens   2.  Exploit  stolen   token  for  x   minutes   3.  Token  expired   4.  A3empt  to  get  fresh  token   (using  refresh  token)   5.  Authen1ca1on  required   36   API  Security  and  Federa1on  Pa3erns  
Bearer  vs  MAC  tokens   §  Bearer   §  MAC   Adop=on!   Tough   choice   App  developer   37   API  Security  and  Federa1on  Pa3erns  
Bearer,  use  responsibly   §  Bearer  tokens  are  easier  but  need  to  be  used  responsibly   –  Exchanged  and  used  over  a  secure  channel   -­‐  Don’t  log  them.   -­‐  Forget  original  (hash   them).   tokens  in   query  strings   App  developer   API  Publisher   OAuth  Server  Impl   38   -­‐  Don’t  render  them  where   they  can  be  copied  from.   -­‐  Store  them  securely.   -­‐  Server-­‐side  trust   API  Security  and  Federa1on  Pa3erns  
MAC,  is  it  really  more  secure?   §  Pros   –  Be3er  protected  against  man-­‐in-­‐the-­‐middle   –  If  a  request  is  intercepted,  no  big  deal   §  Cons   –  You  have  to  keep  two  secrets  safe  on  the  server  side  (per  client)   39   API  Security  and  Federa1on  Pa3erns  
Managing  API  Security   Extend   framework  to   client  app   Integrate   •  •  •  •  •  Authoriza1on  Server   Policy  Enforcement  Point   Resource  Server   ALFW   …   Protect   Configure,  not   code   40   API  Security  and  Federa1on  Pa3erns   •  •  •  •  Web  SSO   Analy1cs   Dev/User  Portal   …   Decouple  
Thank  you   QCon  SF  2013   Francois  Lascelles,  Chief  Architect,  Layer  7  Technologies    
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/apisecurity-federation-patterns

Recomendados

JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheetmarkgatkinson
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelAPI Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelCA Technologies
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
 
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2
 

Recomendados

JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015
JSR 375 - Have you seen Java EE Security API lately? - codemotion Tel Aviv 2015Werner Keil
 
Oracle VM Spec Sheet
Oracle VM Spec SheetOracle VM Spec Sheet
Oracle VM Spec Sheetmarkgatkinson
 
The Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityThe Inconvenient Truth About API Security
The Inconvenient Truth About API SecurityDistil Networks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
API Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelAPI Risk: Taking Your API Security to the Next Level
API Risk: Taking Your API Security to the Next LevelCA Technologies
 
Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Interoperability in a B2B Word (NordicAPIS April 2014)
Interoperability in a B2B Word (NordicAPIS April 2014)Nordic APIs
 
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...
Why API Security Is More Complicated Than You Think (and Why It’s Your #1 Pri...ProgrammableWeb
 
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...
WSO2 - Forrester Guest Webinar: API Management is not Enough: You Need an API...WSO2
 
Gold Pen & Clinical Results
Gold Pen & Clinical ResultsGold Pen & Clinical Results
Gold Pen & Clinical ResultsAnn Hand
 
Diario de un perro
Diario de un perroDiario de un perro
Diario de un perroDireccion Veterinaria Rawson
 
Prezantim harmoniadeutsch
Prezantim harmoniadeutschPrezantim harmoniadeutsch
Prezantim harmoniadeutschTravel Film Studio
 
Project assessment grids
Project assessment gridsProject assessment grids
Project assessment gridsOnlineconference
 
Que significa ser pobre1
Que significa ser pobre1Que significa ser pobre1
Que significa ser pobre1JOSE MANUEL HERNANDEZ RODRIGUEZ
 
W247 web
W247 webW247 web
W247 webperformanceweb
 
TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5Iwl Pcu
 
Cómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digitalCómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digitalZuriel Cevada
 
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...PKF Federación Panamericana de Karate
 
Global malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insightGlobal malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insightRajesh Sarma
 
Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?novisline
 
The neurobiology of love reviews
The neurobiology of love reviewsThe neurobiology of love reviews
The neurobiology of love reviewsAlejandro Abarca Vargas
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvmElizabeth Smith
 
Torque Management Business Performance Improvement
Torque Management Business Performance ImprovementTorque Management Business Performance Improvement
Torque Management Business Performance ImprovementDee Carri
 
Putting the spark into your brand
Putting the spark into your brandPutting the spark into your brand
Putting the spark into your brandAndyWilkinson
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 

Mais conteúdo relacionado

Destaque

Gold Pen & Clinical Results
Gold Pen & Clinical ResultsGold Pen & Clinical Results
Gold Pen & Clinical ResultsAnn Hand
 
TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5Iwl Pcu
 
Cómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digitalCómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digitalZuriel Cevada
 
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...PKF Federación Panamericana de Karate
 
Global malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insightGlobal malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insightRajesh Sarma
 
Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?novisline
 
Torque Management Business Performance Improvement
Torque Management Business Performance ImprovementTorque Management Business Performance Improvement
Torque Management Business Performance ImprovementDee Carri
 
Putting the spark into your brand
Putting the spark into your brandPutting the spark into your brand
Putting the spark into your brandAndyWilkinson
 

Destaque (15)

Gold Pen & Clinical Results
Gold Pen & Clinical ResultsGold Pen & Clinical Results
Gold Pen & Clinical Results
 
Diario de un perro
Diario de un perroDiario de un perro
Diario de un perro
 
Prezantim harmoniadeutsch
Prezantim harmoniadeutschPrezantim harmoniadeutsch
Prezantim harmoniadeutsch
 
Project assessment grids
Project assessment gridsProject assessment grids
Project assessment grids
 
Que significa ser pobre1
Que significa ser pobre1Que significa ser pobre1
Que significa ser pobre1
 
W247 web
W247 webW247 web
W247 web
 
TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5TDA/SAP Methodology Training Course Module 2 Section 5
TDA/SAP Methodology Training Course Module 2 Section 5
 
Cómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digitalCómo convertir el fracaso en éxito aldea digital
Cómo convertir el fracaso en éxito aldea digital
 
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
XXX Seniors Pan American Karate Championships Rio de Janeiro 2016:Information...
 
Global malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insightGlobal malignant melanoma drug market &amp; clinical pipeline insight
Global malignant melanoma drug market &amp; clinical pipeline insight
 
Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?Las redes sociales: ¿como pueden ayudar a mi asociación?
Las redes sociales: ¿como pueden ayudar a mi asociación?
 
The neurobiology of love reviews
The neurobiology of love reviewsThe neurobiology of love reviews
The neurobiology of love reviews
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Torque Management Business Performance Improvement
Torque Management Business Performance ImprovementTorque Management Business Performance Improvement
Torque Management Business Performance Improvement
 
Putting the spark into your brand
Putting the spark into your brandPutting the spark into your brand
Putting the spark into your brand
 

Mais de C4Media

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 

Mais de C4Media (20)

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

API Security and Federation Patterns

  • 1. API  Security  and   Federa1on  Pa3erns   QCon  San  Francisco  -­‐  November  13,  2013   Francois  Lascelles,  Chief  Architect,  Layer  7  Technologies                                        #qconsf    #OAuth                          @flascelles  
  • 2. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /api-security-federation-patterns InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month
  • 3. Presented at QCon San Francisco www.qconsf.com Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide
  • 4. Agenda   §  Introduc1on   §  API  Security  Components   §  Authoriza1on  Server  Pa3erns   –  –  –  –  –  Two-­‐way  token  issuing   Redirec1on-­‐based  token  issuing   Nested  handshakes   Federated  handshakes   Other  extension  handshakes   §  Vulnerabili1es  and  Mi1ga1on   –  Fishing  a3acks   –  Public  vs  Confiden1al  clients   –  Bearer  vs  MAC  token  types   §  Managing  API  Security   2   API  Security  and  Federa1on  Pa3erns  
  • 5. Informa=on  fragmenta=on   –  Users  and  organiza1ons  interact  with  IT  assets  fragmented  across   an  increasing  number  of  service  providers,  applica1ons  and   devices   Your  Org   –  In  isola1on,  each  asset  provides  limited  value   3   API  Security  and  Federa1on  Pa3erns  
  • 6. Applica=on-­‐to-­‐applica=on  interac=on   –  APIs  let  providers  and  applica1ons  interact   §  HTTP! §  REST! §  OData! §  XML/JSON! §  Web Services! 4   API  Security  and  Federa1on  Pa3erns  
  • 7. Secure  API  exchange   –  These  APIs  deal  with  personal  and/or  sensi1ve  informa1on  and  need  to   be  secured   §  Confiden1ality   §  Integrity   §  Availability   §  …   5   API  Security  and  Federa1on  Pa3erns  
  • 8. Interac=ons  on  behalf  of  users   –  OAuth  lets  users  and  organiza1ons  control  these  interac1ons   §  Express  consent   §  Limit  scope   §  Turn  on/off   6   API  Security  and  Federa1on  Pa3erns  
  • 9. API  security  logical  components   IdP   User   Authoriza1on  Server   Applica1on   Token  Server   Policy  Enforcement  Point   Resource  Server   7   API  Security  and  Federa1on  Pa3erns   API  Endpoint  
  • 10. Authoriza=on  server  paGerns   Let  us  count  the  ways…   8   API  Security  and  Federa1on  Pa3erns  
  • 11. Two-­‐way  handshakes   §  Limit  shared-­‐secret  exposure  by  nego1a1ng  temporary  token   1.  Authen1cate  with  secret,  get  token   2.  Consume  API,  include  token  in  requests   9   API  Security  and  Federa1on  Pa3erns  
  • 12. E.g.  OAuth  client  creden=als  grant  type   §  In  this  grant  type,  the  applica1on  presents  its  own  creden1als   to  get  a  token.   –  No  concept  of  user  iden1ty   §  Alterna1ves   –  Present  client  creden1als  with  every  API  call  (over  secure  channel)   –  HMAC  signatures  for  every  API  call   §  Only  for  confiden1al  clients   §  No  refresh  token  in  this  case   10   API  Security  and  Federa1on  Pa3erns  
  • 13. E.g.  OAuth  password  grant  type  (ropc)   §  Resource-­‐owner  password  creden1als   –  For  trusted  apps  only   –  For  public  or  confiden1al  clients   –  Op1mal  UX  on  mobile  apps   1.  App  collects  user  creden1als   POST /token! [Authorization: Basic optional]! Content-Type: application/x-www-formurlencoded! grant_type=password&username=franco&pass word=blah! Email:  _______   Passwd:  _______      [Login]   3.  App  gets  back  token(s)   Content-Type: application/json { 11   2.  App  uses  creds  in  call  to  token   endpoint   "access_token":”foo”, "expires_in":3600, ["refresh_token":”optional”] }! API  Security  and  Federa1on  Pa3erns  
  • 14. Redirec=on-­‐based  handshakes   12   API  Security  and  Federa1on  Pa3erns  
  • 15. Redirec=on-­‐based  handshakes  –  Why?   §  Avoid  the  password  sharing  an1-­‐pa3ern   Online   statement   Pretend  to  be  user   Pull  statement   Please  provide  your  cc  account  info:   •  Username   •  Password     This  seems   wrong   13   Expense   system   API  Security  and  Federa1on  Pa3erns  
  • 16. RBH  –  step  1   (Authoriza1on  server)   Authen1cate  locally  (if  needed)   Express  consent   14   Redirect   API  Security  and  Federa1on  Pa3erns  
  • 17. RBH  –  step  2   -­‐  User  did  not  share   passwd  with  app   Redirect   back   15   Receive   code   API  Security  and  Federa1on  Pa3erns   (callback  address)  
  • 18. RBH  –  step  3   tmp  code   I  can  haz   token?   access  token   Call  API   (with  token)   -­‐  Applica1on  now  accesses   Much   be3er…   16   data  on  behalf  of  user   API  Security  and  Federa1on  Pa3erns  
  • 19. E.g.  OAuth  2.0  code,  implicit   OAuth  2.0  core  specifies  two  varia1ons  on  a  redirec1on-­‐based   handshake   1.  Authoriza1on  code   –  As  we  just  described   2.  Implicit   –  No  temporary  code   –  App  gets  token  directly  through  redirect  back  from  authoriza1on  server   17   API  Security  and  Federa1on  Pa3erns  
  • 20. Social  Login   §  An  applica1on  delegates  user  authen1ca1on  to  a  social   plamorm   –  Enhanced  user  experience   –  Remove  burden  of  managing  shared  secrets  with  users   18   API  Security  and  Federa1on  Pa3erns  
  • 21. Social  Login  –  Step  1   §  User  click  Login  with  [Social  provider]   –  Redirected  to  Social  provider’s  authoriza1on  server   §  User  authen1cated,  expresses  consent   Do  you  authorize  app  to  get  basic  info   about  you?   Yes    [x]   No      [    ]   19   API  Security  and  Federa1on  Pa3erns  
  • 22. Social  Login  –  Step  2   §  User  expresses  consent   –  Redirected  back  to  the  applica1on   –  Applica1on  now  has  OAuth  access  token  to  call  API  on  behalf  of  user     ++token   20   API  Security  and  Federa1on  Pa3erns  
  • 23. Social  Login  –  Step  3   §  App  calls  [Social  provider]’s  api   –  User_info  endpoint   –  Discovers  iden1ty  of  user   –  A3aches  it  to  session  between  app  and  user-­‐agent   Who  was  this?  [access_token]   user_info   21   {  ‘sub’:  ‘franco’,  ‘email’:  ‘flascelles@gmail.com’…}     API  Security  and  Federa1on  Pa3erns  
  • 24. Social  Login  -­‐>  OpenID  Connect   §  In  this  case,  the  API  provided  is  there  to  enable  the  federated   authen1ca1on   §  This  pa3ern  is  specified  in  standard  OpenID  Connect   –  Extends  OAuth  2.0   –  Describes  user_info,  ID  token  based  on  JWT,  …   §  Web-­‐friendly  and  modern  alterna1ve  to  SAML  web  browser   SSO   –  No  SAML,  no  XML,  no  digital  signatures,…   API  Provider  -­‐>  IdP   22   API  Security  and  Federa1on  Pa3erns  
  • 25. Nested  handshakes   §  When  users  interact  with  an  authoriza1on  server,  they  need   to  be  authen1cated   §  What  happens  when  the  API  provider  wants  to  delegate   authen1ca1on  to  a  social  login/openid  connect  provider?   Username:  _________   Password:    _________    [Login]     Log  in  with  [Google]  [facebook]  […]     23   API  Security  and  Federa1on  Pa3erns   Step  1   App  wants  to  consume  API   on  behalf  of  user,  redirects   to  API  provider’s   authoriza1on  server  to  get   back  access  token   app  
  • 26. Nested  handshakes   Step  2   User  redirected  to  IdP  of  choice  so  that  the  first   authoriza1on  server  gets  an  access  token  from  the   2nd  authoriza1on  server   app   Do  you  authorize  app*  to  get  basic  info   about  you?   Yes    [x]   No      [    ]   24   API  Security  and  Federa1on  Pa3erns  
  • 27. Nested  handshakes   Step  3   User  redirected  back,  its  iden1ty  now  known  to  the   first  authoriza1on  server,  expresses  consent.   Do  you  authorize  app*  to  [scope]  on   your  behalf?   Yes    [x]   No      [    ]   25   API  Security  and  Federa1on  Pa3erns   app  
  • 28. Nested  handshakes   Step  4   User  redirected  back  to  app.  Nested  handshakes   complete.   Two  apps,  two  access  tokens   26   API  Security  and  Federa1on  Pa3erns  
  • 29. Federated  handshakes   §  Applica1on  already  has  a  ‘proof-­‐of-­‐authen1ca1on’,  needs  to   consume  API  on  behalf  of  user   –  Login  using  SAML  on  a  web  app   –  OpenID  Connect   §  No  redirec1on,  no  creden1als   <saml>   {jwt}   27   ?   API  Security  and  Federa1on  Pa3erns  
  • 30. Federated  handshakes   §  SAML  Bearer  Grant   –  urn:ietf:params:oauth:grant-type:samXX-bearer   <saml>   access_token   §  JWT  Bearer  Grant   –  urn:ietf:params:oauth:grant-type:jwt-bearer   {jwt}   access_token   28   API  Security  and  Federa1on  Pa3erns  
  • 31. Example:  Domain  of  apps  sharing  an  auth  context   §  A  domain  of  apps  on  a  mobile  device  share  an  auth  context   –  OpenID  Connect  -­‐>  JWT   §  Each  app  gets  its  own  access  token   –  urn:ietf:params:oauth:grant-type:jwt-bearer! §  Single  sign-­‐on  experience   OpenID  Connect   JWT  Bearer  Grant   Group  KeyChain   API  Provider   Mobile  apps   29   API  Security  and  Federa1on  Pa3erns  
  • 32. Other  ‘extension’  handshakes   §  Challenge-­‐response  grant   –  One-­‐1me  passwords   –  Risk-­‐based,  context-­‐based  auth   –  Mul1-­‐factor   §  [Insert  Secret]  bearer  grant   –  Cookie   –  …   30   API  Security  and  Federa1on  Pa3erns  
  • 33. Threats  and  Mi=ga=on   31   API  Security  and  Federa1on  Pa3erns  
  • 34. Fishing  aGacks   §  Risk  associated  with  redirec1on-­‐based  handshakes   –  Malicious  ‘applica1on’  pretends  to  be  legi1mate   –  Inserts  its  own  endpoint  in  callback  address   –  Gets  token   §  (especially  implicit  grant)   Do  you  authorize  Legi1mate   app  to  access  API  on  your   behalf?     [X]  Yes   [    ]    No   Tricked   you   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious]! 32   API  Security  and  Federa1on  Pa3erns  
  • 35. Fishing  mi=ga=on  101   §  Register  and  validate  redirec1on  URIs   §  Strict  valida1on  (not  par1al)   §  Never  skip  consent  step   (out-­‐of-­‐band)   Register  Legi1mate  app   Callback=foo   foiledL   Error    Invalid  callback   GET /authorize? response_type=token&client_id=legitimate &redirect_uri=[malicious]! 33   API  Security  and  Federa1on  Pa3erns  
  • 36. Fishing  on  mobile   §  On  the  web,  the  user-­‐agent  is  responsible  for  redirec1ng  to   the  callback  address   –  On  the  web,  DNS  resolves  addresses  and  HTTPS  validates  server-­‐side   trust   §  With  na1ve  mobile  apps,  each  app  registers  its  own  URL   scheme  instead   APPLE: “If more than one third-party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme. ” --link 34   API  Security  and  Federa1on  Pa3erns  
  • 37. Public  vs  confiden=al  clients   §  It’s  either  confiden1al,  or  it  isn’t   –  Don’t  ‘hide’  a  secret  on  a  public  app   store  or  render  on  a  web  page   (badly  hidden  witch)   35   API  Security  and  Federa1on  Pa3erns  
  • 38. Client  confiden=ality  does  strengthen  security   §  Assigned  secrets  to  clients  (when  appropriate)  adds  security   –  E.g.  compromised  refresh  token:   1.  Compromised   access  tokens,   refresh   foiledL  tokens   2.  Exploit  stolen   token  for  x   minutes   3.  Token  expired   4.  A3empt  to  get  fresh  token   (using  refresh  token)   5.  Authen1ca1on  required   36   API  Security  and  Federa1on  Pa3erns  
  • 39. Bearer  vs  MAC  tokens   §  Bearer   §  MAC   Adop=on!   Tough   choice   App  developer   37   API  Security  and  Federa1on  Pa3erns  
  • 40. Bearer,  use  responsibly   §  Bearer  tokens  are  easier  but  need  to  be  used  responsibly   –  Exchanged  and  used  over  a  secure  channel   -­‐  Don’t  log  them.   -­‐  Forget  original  (hash   them).   tokens  in   query  strings   App  developer   API  Publisher   OAuth  Server  Impl   38   -­‐  Don’t  render  them  where   they  can  be  copied  from.   -­‐  Store  them  securely.   -­‐  Server-­‐side  trust   API  Security  and  Federa1on  Pa3erns  
  • 41. MAC,  is  it  really  more  secure?   §  Pros   –  Be3er  protected  against  man-­‐in-­‐the-­‐middle   –  If  a  request  is  intercepted,  no  big  deal   §  Cons   –  You  have  to  keep  two  secrets  safe  on  the  server  side  (per  client)   39   API  Security  and  Federa1on  Pa3erns  
  • 42. Managing  API  Security   Extend   framework  to   client  app   Integrate   •  •  •  •  •  Authoriza1on  Server   Policy  Enforcement  Point   Resource  Server   ALFW   …   Protect   Configure,  not   code   40   API  Security  and  Federa1on  Pa3erns   •  •  •  •  Web  SSO   Analy1cs   Dev/User  Portal   …   Decouple  
  • 43. Thank  you   QCon  SF  2013   Francois  Lascelles,  Chief  Architect,  Layer  7  Technologies    
  • 44. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/apisecurity-federation-patterns