securing restful apis using oauth 2 and openid connect
DESCRIPTION
Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this. In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2TRANSCRIPT
![Page 1: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/1.jpg)
Securing RESTful APIsUsing OAuth 2 and OpenID Connect
Jonathan LeBlanc (@jcleblanc)
Global Head of Developer Evangelism at PayPal
![Page 2: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/2.jpg)
Why do we Need This?
![Page 3: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/3.jpg)
Poor Password Choices
• 4.7% of users have the password password;
• 8.5% have the passwords password or 123456;
• 9.8% have the passwords password, 123456 or 12345678;
• 14% have a password from the top 10 passwords
• 40% have a password from the top 100 passwords
• 79% have a password from the top 500 passwords
• 91% have a password from the top 1000 passwords
![Page 4: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/4.jpg)
…And of What’s Left
1. Pet’s name
2. Significant dates (like a wedding anniversary)
3. Date of birth of close relation
4. Child’s name
5. Other family member’s name
6. Place of birth
7. Favorite holiday
8. Something related to favorite football team
9. Current partner’s name
![Page 5: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/5.jpg)
Handing Over Account Passwords
![Page 6: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/6.jpg)
Malicious Applications
![Page 7: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/7.jpg)
Aspects of Revocation
![Page 8: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/8.jpg)
App Revoked by User
App Revoked by Service Provider
![Page 9: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/9.jpg)
Path to the Standard
![Page 10: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/10.jpg)
Username & Password to Auth
![Page 11: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/11.jpg)
Rise of the Token
![Page 12: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/12.jpg)
Two Widely Used Specifications
![Page 13: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/13.jpg)
REST Request Components
![Page 14: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/14.jpg)
How Requests are Made
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'
![Page 15: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/15.jpg)
How Auth is Added in
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization: Bearer {accessToken}" \-d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }]}'
![Page 16: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/16.jpg)
Attack Vectors
Man in the Middle
Replay Attacks
Cross-Site Request Forgery (CSRF)
![Page 17: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/17.jpg)
Adding in the Auth
![Page 18: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/18.jpg)
Rate Limiting and Attack Vector Protection
Having the ability to revoke application access
Needing to allow users to revoke an applications access to their data
Reasons for Auth
![Page 19: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/19.jpg)
When You Need Access Security
![Page 20: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/20.jpg)
User Login (authentication)
User Involvement (authorization)
Application Only (monitoring)
![Page 21: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/21.jpg)
Practical Implementation
![Page 22: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/22.jpg)
Prepare the Redirect URIAuthorization Endpointclient_id response_type (token)scope redirect_uri
Browser RedirectRedirect URI
Redirect the User to Log In
![Page 23: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/23.jpg)
Fetch the Access TokenAccess Token Endpointclient_id grant_typeclient_secret code
HTTP POSTAccess Token Endpoint
Fetching the Access Token
![Page 24: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/24.jpg)
Fetching the Access Token
curl https://api.sandbox.paypal.com/v1/oauth2/token \ -H "Accept: application/json" \ -H "Accept-Language: en_US" \ -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" \ -d "grant_type=client_credentials"
![Page 25: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/25.jpg)
Access Token Response
{ "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800}
![Page 26: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/26.jpg)
Fetch Privileged ResourcesResource EndpointToken Type (Authorization header) Access Token (Authorization header)
HTTP GET / PUT / POST / DELETEResource Endpoint
Using the Access Token
![Page 27: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/27.jpg)
Using the Access Token
curl -v https://api.sandbox.paypal.com/v1/payments/payment \-H "Content-Type:application/json" \-H "Authorization:Bearer EMxItHE7Zl4cMdkv…" \-d "{...}"
![Page 28: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/28.jpg)
Maintaining SDK Consistency
![Page 29: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/29.jpg)
Defining APIs with WADL / WSDL
![Page 30: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/30.jpg)
<?xml version="1.0" encoding="UTF-8"?><description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service></description>
![Page 31: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/31.jpg)
<?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
![Page 32: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/32.jpg)
Building SDKs Automatically
Genio (templates)https://github.com/paypal/genio
Genio Parser (model builder) https://github.com/paypal/genio-
parserGenio Samples
https://github.com/paypal/genio-sample
![Page 33: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/33.jpg)
REST and OAuth are specifications, not religions
Don’t alienate your developers with security
Open source is your friend
Final Considerations
![Page 34: Securing RESTful APIs using OAuth 2 and OpenID Connect](https://reader034.vdocument.in/reader034/viewer/2022052618/54c843e34a795985748b4605/html5/thumbnails/34.jpg)
Thank You! Questions?
http://slideshare.net/jcleblancJonathan LeBlanc (@jcleblanc)
Global Head of Developer Evangelism at PayPal