intro to api security with oauth 2.0
TRANSCRIPT
![Page 1: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/1.jpg)
Introduction to API security with OAUTH 2.0
Kevin Johnson
![Page 2: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/2.jpg)
Basics
![Page 3: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/3.jpg)
Authentication -> ID card
Authentication
![Page 4: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/4.jpg)
Authorization -> Driver’s Licence
Delegated Authorization
Authorization
![Page 5: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/5.jpg)
Authorization Code Grant
Implicit Grant For Browser-Based
Client-Side Applications
Resource Owner Password-Based
Grant
Client Credentials Grant
OAUTH Flows
Four Primary Grant Types
![Page 6: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/6.jpg)
App Specific InfoRedirect URIclient_idclient_secret
Authorization Server Specific InfoAuthorization EndpointToken Endpoint
Registration Of Client App
![Page 7: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/7.jpg)
Authorization Code Grant
![Page 8: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/8.jpg)
Conse
nt Fo
rm
Creden
tials
![Page 9: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/9.jpg)
Authorization Code Grant: Actors
![Page 10: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/10.jpg)
Authorization Code Grant: Moving Parts
![Page 11: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/11.jpg)
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 1
![Page 12: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/12.jpg)
![Page 13: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/13.jpg)
![Page 14: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/14.jpg)
![Page 15: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/15.jpg)
Authorization Server:
3 Components
1. Authentication Component• Identity Provider(LDAP, Active
Directory)2. Consent Component
• Consent Server3. Token Infrastructure Provider
• Token Values:Access TokenRefresh Token
• Token Attributes:when created?, valid?, revoked?
![Page 16: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/16.jpg)
Conse
nt Fo
rm
Creden
tials
Authorization Code Grant:Step 1
![Page 17: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/17.jpg)
Conse
nt Fo
rm
Creden
tials
![Page 18: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/18.jpg)
Authorization Code Grant:Step 2
![Page 19: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/19.jpg)
Authorization Code:
Auth Endpoint
![Page 20: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/20.jpg)
Authorization Code:
Auth Endpoint
HTTP GET Request
GET /authorize? response_type=code&
client_id=123456789&
redirect_uri=https%3A%2F%2Fclient
%2Eexample%2Ecom%2Fcb&
scope=followers%20tweet_feed&
state=aFodshfj(klMN
HTTP/1.1 Host: server.oauth_provider.com
![Page 21: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/21.jpg)
Authorization Code:
Redirect Endpoint
HTTP Response
HTTP/1.1 302 FoundLocation: https://client.example.com/cb?
code=SplxrhJY654090l&state=aFodshfj(klMN
![Page 22: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/22.jpg)
Authorization Code:Token Endpoint
![Page 23: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/23.jpg)
Authorization Code:
Token Endpoint
HTTP POST RequestPOST /token HTTP/1.1 Host: server.oauth_provider.com Content-Type: application/x-www-form-urlencodedAuthorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxrhJY654090l&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
![Page 24: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/24.jpg)
Authorization Code:
Token Endpoint
NOT RECOMMENDED
POST /token HTTP/1.1Host: server.example.comContent-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
![Page 25: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/25.jpg)
Authorization Code:
Token Endpoint
HTTP ResponseHTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", “example_parameter":"example_value"}
![Page 26: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/26.jpg)
Authorization Code Grant:Step 2
![Page 27: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/27.jpg)
Conse
nt Fo
rm
Creden
tials
![Page 28: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/28.jpg)
Authorization Code Grant:Step 3
![Page 29: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/29.jpg)
Authorization Code Grant:Step 3
![Page 30: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/30.jpg)
Authorization Code:Resource Server API Call
HTTP GET Request: Bearer Token
GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM
![Page 31: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/31.jpg)
Authorization Code:Resource Server API Call
HTTP GET Request: MAC Token
GET /resource/1 HTTP/1.1Host: example.comAuthorization: MACid=“h480djs93hd8",nonce=“274312:dj83hs9s”,mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
![Page 32: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/32.jpg)
Authorization Code Grant:Step 3
![Page 33: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/33.jpg)
Basics:Implicit Grant Type
![Page 34: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/34.jpg)
Conse
nt Fo
rm
Creden
tials
![Page 35: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/35.jpg)
Implicit Grant:
Get Request for auth token
GET /authorize?
response_type=token&
client_id=s6BhdRkqt3&state=xyz&
redirect_uri=https%3A%2F
%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1
Host: server.example.com
![Page 36: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/36.jpg)
Implicit Grant:
Get Request for auth token
HTTP/1.1 302 Found
Location: http://example.com/cb#
access_token=2YotnFZFEjr1zCsicMWpAA&
state=xyz&
token_type=example&
expires_in=3600
![Page 37: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/37.jpg)
Criticism
![Page 38: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/38.jpg)
Criticism:
Lack Of Interoperability
Many Optional Components
Partially/Fully Undefined ComponentsClient RegistrationAuthorization Server CapabilitiesEndpoint Discovery
Future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.
![Page 39: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/39.jpg)
Framework <-> Protocol
![Page 40: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/40.jpg)
![Page 41: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/41.jpg)
![Page 42: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/42.jpg)
![Page 43: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/43.jpg)
Outdated
Designed for 2006Hosted Applications Centric
mobilenativejs
![Page 44: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/44.jpg)
Bearer Tokens
Don’t put your eggs in one basket
Defense in Depth is the humble realization that, of all the security measures you implement, a few will fail because of your own stupidity. It’s good to have a few backups, just in case
![Page 45: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/45.jpg)
Alternative
![Page 46: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/46.jpg)
Oz
Three JS Modules:Iron: JavaScript object and turn it into a verifiable encoded blob.
Hawk: is a client-server authentication protocol providing a rich set of features for a wide range of security needs.
Oz: leverages the other two
![Page 47: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/47.jpg)
Oz
Builds on top of experience of Oauth 1.0/2.0
Highly Opinionated Decisions
Client Side Cryptography: Hawk
![Page 48: Intro to API Security with Oauth 2.0](https://reader030.vdocument.in/reader030/viewer/2022021502/588687911a28abf6158b4a6b/html5/thumbnails/48.jpg)
Functional Imperative
functionalimperative.com(647) 405-8994@func_i