"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.

1. Ten steps for
Token based API Security
Senthilkumar Gopal

2. @sengopal | IndexConf2018
ACME Fort Knox Web Application
Browser
Traffic Limiter
Bot Check
CSRF
INPUT
SANITIZER
MODEL
TRANSFORM
APPLICATION
LOGIC

3. @sengopal | IndexConf2018
A Hero’s (‘real’) story
Expose APIs
for 3rd Parties

4. @sengopal | IndexConf2018
ACME (Not) Fort Knox Web Application
API Server
Browser Traffic
Limiter
Bot Check
CSRF
Input
Sanitizer
Model
Transform
Application
Logic
CRUD
Operations

5. @sengopal | IndexConf2018

6. @sengopal | IndexConf2018
A Hero’s (‘real’) story

7. @sengopal | IndexConf2018
Web Application vs. APIs
“But no one else
knew about the
API server
“

8. @sengopal | IndexConf2018
First Principles
APIs are …
Intended to serve
machines instead of
real users
Closer to Object
Data Model

9. @sengopal | IndexConf2018
Example of Web Application vs. APIs

10. @sengopal | IndexConf2018
Example of Web Application vs. APIs
https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples

11. @sengopal | IndexConf2018
I need an
‘expert’

12. @sengopal | IndexConf2018
Delegated Authentication
Delegated Authorization
Client Revocability
User Control
Code @ http://bit.ly/ebay-oauth
How to protect them?
By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066

13. STEP 1
Embrace the standards

14. @sengopal | IndexConf2018
Typical API Security Workflow
ResourceAuthentication
Authorization
Rate Limiting
Proxy Resource Cache
Request

15. @sengopal | IndexConf2018
Why “Authentication" is important?
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid
recipient, Permission permission);
Authorization
Rate Limiting
fs.setPath(“/hi")
.requestRateLimiter(RedisRateLimiter.args(2, 4))
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html

16. STEP 2
Maintain an extensible token
architecture

17. @sengopal | IndexConf2018
“If you decide to go and
create your own token
system,
you had best be really
smart.”
- Stack Overflow
source

18. @sengopal | IndexConf2018
What is a token?
“A token is a piece of data which only a
specific authentication server could possibly
have created & contains enough information
to identify a particular entity/entities. They
are created using various techniques from
the field of cryptography.”

19. @sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could possibly
have created & contains enough information
to identify a particular entity/entities. They
are created using various techniques from
the field of cryptography.”
What is a token?

20. @sengopal | IndexConf2018
Entities
User
Entity
Application
Entity

21. @sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could possibly
have created & contains enough information
to identify a particular entity/entities. They
are created using various techniques from
the field of cryptography.”
What is a token?

22. @sengopal | IndexConf2018
Cryptography 101
server
private
e32d140bc54d
public
client

23. STEP 3
Learn the nuances of
Cryptography

24. @sengopal | IndexConf2018
“A token is a piece of data which only a
specific authentication server could
possibly have created & contains enough
data to identify a particular entity. They are
created using various techniques from the
field of cryptography.”
What is a token?

25. @sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg on Unsplash
Persistence

26. @sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg on Unsplash
Persistence

27. @sengopal | IndexConf2018
LifeCycle - Application
Registered
App
Developer
Active
Blocked
Retired
Generate
tokens

28. @sengopal | IndexConf2018
LifeCycle - Tokens
User
Consent
App
Developer
Refresh
Token
Access
token
Resource
API
Access Token
Consent
Revoked
Tokens
Revoked

29. @sengopal | IndexConf2018
Fitting it all together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure
Token
Server
Access Token
auth
Access-token

30. @sengopal | IndexConf2018
LifeCycle - Purpose
Refresh Token Access Token
To Generate
new Access Token
To Access
protected Resource
Long Lived Short Lived

31. STEP 4
Learn Live the nomenclature

32. @sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg on Unsplash
Persistence

33. @sengopal | IndexConf2018
Structure
ebay
AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA
2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs
ya29.GltiBRICgroWhf0XJ-
e4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v
google
facebook
EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr
AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD
https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/
* Tokens edited for brewity

34. @sengopal | IndexConf2018
Structure
https://developers.google.com/oauthplaygroundhttps://developers.facebook.com/tools/explorer/
JWT
Are there any
standards?
Is it just a
random string?
SAML

35. @sengopal | IndexConf2018
Structure - JWT
https://jwt.io/

36. STEP 5
Choose the token format wisely
(standards)

37. @sengopal | IndexConf2018
Structure - JWT
https://jwt.io/
What goes in
the claim?

38. @sengopal | IndexConf2018
Structure - What goes in the claim?
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
Server
Access Token
auth
Access-token
Everything!

39. @sengopal | IndexConf2018
Structure - Why everything?
User entity
App entity
issuer
issueAt
Photo by Jennifer Pallian on Unsplash
Service
APIs
tokens
Web
Apps
cookies
IS
SAME
AS
expiresAt
deviceIdentifier
trackingId
…

40. @sengopal | IndexConf2018
Structure - Versioning
User entity
App entity
issuer
issueAt
version
expiresAt
deviceIdentifier
trackingId
…
We add new attributes everyday.
Versioning
v1, v1.1, v1.2, v1.3, v2.0, ….

41. STEP 6
Capture every identifier
possible and use versions

42. @sengopal | IndexConf2018
Master!
Am I ready
yet ?
No!
One more
important
step
Photo by DeviantArt

43. @sengopal | IndexConf2018
Life Cycle Structure
Authentication Server - a time tested strategy
Photo by Patrick Lindenberg on Unsplash
Persistence

44. @sengopal | IndexConf2018
Security
Photo by Samuel Zeller on Unsplash
Integrity Verified
{
"sub": "110169484474386276334",
"name": "John Doe",
"iss": "https://www.ebay.com",
"iat": "1433978353",
"exp": "1433981953",
"email": "testuser@gmail.com",
"email_verified": "true",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
JWT - Claim
Missing
Confidentiality
Revocation

45. @sengopal | IndexConf2018
Security
By Reference
{
"sub": "110169484474386276334",
"name": "John Doe",
"iss": "https://www.ebay.com",
"iat": "1433978353",
"exp": "1433981953",
"email": "testuser@gmail.com",
"email_verified": "true",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
By Value
{
“ref”:”
AgAAAA**AQAAAA**aAAAAA**E6+EWg*
*nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6
wMkIGkCJCGoA2dj6x9nY+seQ+/
5wK1dskM5/3EOEY7BDg7VHK/
CmDimCvVPbtJankHhzJUF8rU876Qzjs
”
}

46. @sengopal | IndexConf2018
Security
Integrity Verified Integrity Verified
Confidential
Custom format *
Persisted
By ReferenceBy Value

47. @sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
Server
Access Token
auth
Access-token
RDBMS
AUDIT
async
App Metadata
Server

48. @sengopal | IndexConf2018
Persistence - Considerations
Atomic & Strong Consistency
New Token Generation of new token
Token Revocation *

49. @sengopal | IndexConf2018
Persistence - Considerations
Eventually Consistent
User - token Association
Cache duplication

50. STEP 7
Identify transactional needs

51. @sengopal | IndexConf2018
Performance
“Premature optimization
is the root of all evil”
- Donald Knuth
Identify Hot spots
Caching in Couchbase

52. @sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
Server
Access Token
auth
Access-token
RDBMS
CACHE
AUDIT
async
App Metadata
Server

53. STEP 8
Use caching to get optimal
performance

54. @sengopal | IndexConf2018
OWASP
Open Web Application Security Project
A2 – Broken Authentication and Session Management
A10 – Underprotected APIs
Reference

55. @sengopal | IndexConf2018
Fitting them together
Resource
/cart
client
OAuth
/token
Access Token
Access-token
Secure Token
Server
Access Token
auth
Access-token
RDBMS
CACHE
AUDIT
async
User
&
Risk
Systems
App Metadata
Server

56. STEP 9
Audit all access patterns

57. @sengopal | IndexConf2018
Managing the whole show
Application Lifecycle
Token lifecycle
Cryptography artifacts rotation
Authorizations registry
….

58. STEP 10
Automate Everything

59. @sengopal | IndexConf2018
And the 10 steps are ….
Embrace the standards
Extensible token architecture
Nuances of Cryptography
Learn the nomenclature
Correct token format
All identifiers & versioning
Identify transactional needs
Use caching
Audit all access patterns
Automate Everything

60. Thank You!
http://sengopal.me
Tweets @sengopal
Experimental Code @ http://bit.ly/ebay-oauth