understanding identity in the world of web apis – ronnie mitra, api architect, layer 7 talk from...
DESCRIPTION
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)TRANSCRIPT
Understanding Identity in the World of Web
APIs
Ronnie Mitra
Principal API Architect - Europe
Layer 7 API Academy
API Management
virtual cloud on-premise
Connecting things
Connecting computer programs
… over the web
2000 – ebay
2000 – salesforce
2006 – Amazon Web Services
Twilio or stripe
2007 - Twillio
Web APIs
Language Independent
APIs are constrained by the syntax of the web
Most API Design principles can be applied
Some design principles are unique to Web APIs
Web APIs
HTTP
Network Based APIs
HTTP
COAP MQTT
WebSocket ?
Tunnel Style
URI Style
Hypermedia Style
Event Driven Style
Tunnel Style Example: SOAP
• transport agnostic • operation based • binding documents (WSDL)
Tunnel Style
<RetrieveStudentRecords> <StudentId>1213</StudentId> </RetrieveStudentRecords>
URI Style
GET PUT
POST DELETE
+ URI
URI Style
GET /students/1232
Hypermedia Style
Hypermedia Style
• links • templated input (forms) • task based
{ links: [ link {href: ‘…’ rel: ‘list’}, link {href: ‘…’ rel: ‘add’} ] collection: [ {link: {rel:'complete',href:‘…'},
id:42,
text:‘Record 42'
} ] }
Event Driven Style Example: WebSockets
• event based communication • server initiated events • full-duplex (websocket)
Ronnie,Mitra,UK
Established mechanisms, tools and frameworks
HTTP and URI security mechanisms
Similar to URI style, new challenges with links
Starts in HTTP, need visibility in new protocol
Private/Partner or Closed APIs
Acme Corp. API
Acme Corp. App
Public or Open APIs
Acme Corp. API
Third Party App
Priority: Lower Cost
Priority: Increased Adoption
Focus on the developer experience
(dx)
Usability
Reliability
Simplicity
Security
Etc…
Software Qualities
DX > Software Qualities
Priority: Lower Cost
Priority: Increased Adoption
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
The API security challenge:
Balancing Security and Usability
Identity Authentication Authorization Availability Integrity Privacy
Identities and Attack Surfaces
Developer
Portal
API
Developer
End User
Administrator
Portal
API
Developer
End User
Administrator
API
End User
Injection Attack
API
Examples:
SQL Injection
Command Injection
Code Injection
Argument Injection
API Attack Example:
SQL Injection Attacks: APIs
GET http://host.com/aresource?token=
%E2%80%98or%20%E2%80%981%3D1
GET http://host.com/aresource?token=‘ or ‘1=1
select * from tokens where token = ‘’ or ‘1=1’;
APIs May Be A Direct Conduit
49
HTTP
Server
App
Server
Database
App
Objects
Often: • Self-documenting
• Closely mapped to object space
SQL Injection Attack - Mitigation
Sanitize inputs
Validate request and response data
Limit data size
Denial of Service
API
Examples:
XML/JSON Parser Attacks
Jumbo Messages
Server Overload
Denial of Service Attack: Mitigation
Enforcement of boundary conditions
Intelligent rate limiting
Offload processing
Overflow
API
Buffer Overflow Attack: Mitigation
Boundary limit enforcement
Message validation
Cross Site Scripting
API
XSS API Example
60
Attacker
Web App Server
(browser+APIs)
Victim: Web
Browser
Client
<SCRIPT …>
1. API injects
script in
3. Browser loads
content with
embedded script
2. Server fails to
perform FIEO: Filter
Input, Escape Output
API
Cross Site Scripting: Mitigation
Whitelist tags if you can (i.e. where the validation space is
small and concise)
Blacklist dangerous tags like <SCRIPT>
Always perform FIEO (Filter Input, Escape Output)
Learn more: http://xssed.com
61
rate limiting is essential
we need message and payload validation too
is this new API world compatible with validation?
good APIs are extendable and evolvable
/myapi/v1
<contact>
<name>Ronnie</name>
<city>London</city>
</contact>
/myapi/v1
<contact>
<name>Ronnie</name>
<city>London</city>
<country>UK</country>
</contact>
<xs:complexType>
<xs:sequence>
<xs:element name=“name" type="xs:string"/>
<xs:element name=“city" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<contact>
<name>Ronnie</name>
<city>London</city>
<country>UK</country>
</contact>
API !
Man in the Middle
API
Always use HTTPS
Corollary: Use a secure HTTPS implementation
Man in the Middle Attack: Mitigation
App Spoofing
API
Examples:
- Guessing application ID by brute force
- Retrieving application ID by sniffing traffic
- Cracking application to retrieve application ID
App Spoofing
how can I protect identity on a mobile device?
…?
what happens if my mobile app is impersonated?
API
End User
Revenue Source
What the Fudge*! I didn’t make 10000 calls yesterday!!!!!!
I’m not paying that.
*This is what WTF actually stands for.
I didn’t buy 1000 mobile phones in
Russia!
I’m not paying that!
Forrester:
we are moving towards a ‘zero-trust’ model
New platforms, new languages, new challenges:
• Ruby on Rails
• Node.js
• Scala
• Nginx
• Squid/Varnish/Traffic Manager
TLS OAuth 2
Open ID Connect
OAuth provides a
Delegated Authorization Framework
An imperfect analogy….
http://www.flickr.com/photos/drewleavy/5587005480
http://www.flickr.com/photos/24oranges/5791460046/
http://www.flickr.com/photos/grumbler/571106054/
http://www.flickr.com/photos/roboppy/238406811/
Your Money
This Shop Needs Your Money
You need to grant access to your money
http://www.flickr.com/photos/drewleavy/5587005480
I won’t tell.
I promise!
www.flickr.com/photos/auntiep/255249516
Granting access to someone to act
on your behalf.
resolving the password anti-pattern
Your resources
This app needs to act on your behalf
You need to grant access to your resources
Your google+ data
This app needs to access your Google+ data
You need to grant access to your resources
Hi Google.
I’d like to have access to a user’s friends list.
Hang on, let me ask…
He said yes. Here is your access code.
“Client” == application
“Resource owner” == end-user
The first step to understanding OAuth 2:
OAuth 2 Grant Types
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
Authorization Code Grant
104
Client Application
Resource Owner
Using
Application
Resource Server
I Wish I could access my resources through
this application…
Authorization Code Grant
105
Client Application
Resource Owner
Using
Application
Resource Server
…but I don’t trust this app enough to give it
my credentials.
Authorization Code Grant
Initiation
106
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
Authorization Code Grant
Initiation
107
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri
scope
state
OAuth 2 Authorization Request
response_type – indicates grant type
client_id –application identifier
redirect_uri (optional) – address which the UA can use to respond to client
scope (optional) – space delimited string: what the client wants to do
state (optional)– opaque string used to defeat CSRF attacks
Sample Authorization GET URL:
https://azserver/oauth2/authorize?response_type=code&client_id=my_id&state=state&r
edirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback
Authorization Code Grant
Resource Owner Authentication
109
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Send
User
Authentication
Form
?
Authenticate
Authorization Code Grant
Authorization
110
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Deliver
Grant
Screen
? ? ?
Approve
Grant
Request
Authorization Code Grant
Receipt of Authorization Code
111
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
! Redirected
To
Client
Application
code
state
302
Authorization Code Grant
Access Token Request
112
Client Application
Resource Owner Authorization Server
Resource Server
Request
Access
Token Return
Access
Token
and Optional
Refresh Token
grant_type
code
redirect_uri
client_id
200
AZ Code
AZ Code
Authorization Code Grant
Access Protected Resource
113
Client Application
Resource Owner Authorization Server
Resource Server
Request
Resource
Using
Application
Return
Resource
200
be careful – much can go wrong!
Authorization Code Grant
Initiation
115
Client Application
Resource Owner Authorization Server
Resource Server
User Agent
Issue GET
request via
User-Agent
response_type
client_id
redirect_uri scope
state
Authorization Code Grant
Receipt of Authorization Code
116
Resource Owner Authorization Server
Resource Server
User Agent
Redirect
User-Agent
Client
Application
Redirected
To
Client
Application
code
state
302
is this complex?
is this too complex?
a better question:
is this too complex for our developers?
an even better question:
It depends, but it is the best we have today
2 vs. 3 Legged Spectrum
121
Three
legged
Two
legged
Three Legged
122
Client Application Resource Owner
Authorization Server
Resource Server
Two Legged
123
Client Application
Authorization Server
Resource Server
OAuth 2 Challenges
It is a framework
OAuth 2 Challenges
It is complex for the implementer
OpenID Connect
Identity Access
Built on top of OAuth 2
Not tied to any single vendor or identity provider
API
End User
API
End User
?
Client Application
Retrieve User
Information
OpenID
Resource
Server
id_token
Portal
Who is using the API? How are they (mis)using it?
What would happen if the portal was exploited?
Portal
API
Developer
End User
API
Portal
API
Administrator
Where are the components deployed? Who owns the identity store?
Portal
API
is this safe?
http://www.flickr.com/photos/naomi_pincher/3306312873/
Layered Pattern
Security Layer
TLS termination
OAuth and OpenID Connect support
Schema validation
Boundary enforcement
Cryptographic operations
Security mediation
API Gateway
Gateway
API
API
API Management
Portal
Gateway
API
API
Summary:
Old threats still exist
Be aware of new surfaces and threats
Enforce security in an abstracted layer with a gateway
www.apiacademy.co
Visit the Layer 7 booth for information on our gateways and portals!