understanding identity in the world of web apis – ronnie mitra, api architect, layer 7 talk from...

Understanding Identity in the World of Web

APIs

Ronnie Mitra

Principal API Architect - Europe

Layer 7 API Academy

API Management

virtual cloud on-premise

Connecting things

Connecting computer programs

… over the web

2000 – ebay

2000 – salesforce

2006 – Amazon Web Services

Twilio or stripe

2007 - Twillio

Web APIs

Language Independent

APIs are constrained by the syntax of the web

Most API Design principles can be applied

Some design principles are unique to Web APIs

Web APIs

HTTP

Network Based APIs

HTTP

COAP MQTT

WebSocket ?

Tunnel Style

URI Style

Hypermedia Style

Event Driven Style

Tunnel Style Example: SOAP

• transport agnostic • operation based • binding documents (WSDL)

Tunnel Style

<RetrieveStudentRecords> <StudentId>1213</StudentId> </RetrieveStudentRecords>

URI Style

GET PUT

POST DELETE

+ URI

URI Style

GET /students/1232

Hypermedia Style

Hypermedia Style

• links • templated input (forms) • task based

{ links: [ link {href: ‘…’ rel: ‘list’}, link {href: ‘…’ rel: ‘add’} ] collection: [ {link: {rel:'complete',href:‘…'},

id:42,

text:‘Record 42'

} ] }

Event Driven Style Example: WebSockets

• event based communication • server initiated events • full-duplex (websocket)

Ronnie,Mitra,UK

Established mechanisms, tools and frameworks

HTTP and URI security mechanisms

Similar to URI style, new challenges with links

Starts in HTTP, need visibility in new protocol

Private/Partner or Closed APIs

Acme Corp. API

Acme Corp. App

Public or Open APIs

Acme Corp. API

Third Party App

Priority: Lower Cost

Priority: Increased Adoption

Focus on the developer experience

(dx)

Usability

Reliability

Simplicity

Security

Etc…

Software Qualities

DX > Software Qualities

Priority: Lower Cost

Priority: Increased Adoption

Innovation

Consumer Reach

Revenue Source

Marketing

Integration

Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project

The API security challenge:

Balancing Security and Usability

Identity Authentication Authorization Availability Integrity Privacy

Identities and Attack Surfaces

Developer

Portal

API

Developer

End User

Administrator

Portal

API

Developer

End User

Administrator

API

End User

Injection Attack

Examples:

SQL Injection

Command Injection

Code Injection

Argument Injection

API Attack Example:

SQL Injection Attacks: APIs

GET http://host.com/aresource?token=

%E2%80%98or%20%E2%80%981%3D1

GET http://host.com/aresource?token=‘ or ‘1=1

select * from tokens where token = ‘’ or ‘1=1’;

APIs May Be A Direct Conduit

49

HTTP

Server

App

Server

Database

App

Objects

Often: • Self-documenting

• Closely mapped to object space

SQL Injection Attack - Mitigation

Sanitize inputs

Validate request and response data

Limit data size

Denial of Service

Examples:

XML/JSON Parser Attacks

Jumbo Messages

Server Overload

Denial of Service Attack: Mitigation

Enforcement of boundary conditions

Intelligent rate limiting

Offload processing

Overflow

Buffer Overflow Attack: Mitigation

Boundary limit enforcement

Message validation

Cross Site Scripting

XSS API Example

60

Attacker

Web App Server

(browser+APIs)

Victim: Web

Browser

Client

<SCRIPT …>

1. API injects

script in

3. Browser loads

content with

embedded script

2. Server fails to

perform FIEO: Filter

Input, Escape Output

API

Cross Site Scripting: Mitigation

Whitelist tags if you can (i.e. where the validation space is

small and concise)

Blacklist dangerous tags like <SCRIPT>

Always perform FIEO (Filter Input, Escape Output)

Learn more: http://xssed.com

61

rate limiting is essential

we need message and payload validation too

is this new API world compatible with validation?

good APIs are extendable and evolvable

/myapi/v1

<contact>

<name>Ronnie</name>

<city>London</city>

</contact>

/myapi/v1

<contact>

<name>Ronnie</name>

<city>London</city>

<country>UK</country>

</contact>

<xs:complexType>

<xs:sequence>

<xs:element name=“name" type="xs:string"/>

<xs:element name=“city" type="xs:string"/>

</xs:sequence>

</xs:complexType>

<contact>

<name>Ronnie</name>

<city>London</city>

<country>UK</country>

</contact>

Man in the Middle

Always use HTTPS

Corollary: Use a secure HTTPS implementation

Man in the Middle Attack: Mitigation

App Spoofing

Examples:

- Guessing application ID by brute force

- Retrieving application ID by sniffing traffic

- Cracking application to retrieve application ID

App Spoofing

how can I protect identity on a mobile device?

what happens if my mobile app is impersonated?

API

End User

Revenue Source

What the Fudge*! I didn’t make 10000 calls yesterday!!!!!!

I’m not paying that.

*This is what WTF actually stands for.

I didn’t buy 1000 mobile phones in

Russia!

I’m not paying that!

Forrester:

we are moving towards a ‘zero-trust’ model

New platforms, new languages, new challenges:

• Ruby on Rails

• Node.js

• Scala

• Nginx

• Squid/Varnish/Traffic Manager

TLS OAuth 2

Open ID Connect

OAuth provides a

Delegated Authorization Framework

An imperfect analogy….

http://www.flickr.com/photos/drewleavy/5587005480

http://www.flickr.com/photos/24oranges/5791460046/

http://www.flickr.com/photos/grumbler/571106054/

http://www.flickr.com/photos/roboppy/238406811/

Your Money

This Shop Needs Your Money

You need to grant access to your money

http://www.flickr.com/photos/drewleavy/5587005480

I won’t tell.

I promise!

www.flickr.com/photos/auntiep/255249516

Granting access to someone to act

on your behalf.

resolving the password anti-pattern

Your resources

This app needs to act on your behalf

You need to grant access to your resources

Your google+ data

This app needs to access your Google+ data

You need to grant access to your resources

Hi Google.

I’d like to have access to a user’s friends list.

Hang on, let me ask…

He said yes. Here is your access code.

“Client” == application

“Resource owner” == end-user

The first step to understanding OAuth 2:

OAuth 2 Grant Types

Authorization Code

Implicit

Resource Owner Password Credentials

Client Credentials

Authorization Code Grant

104

Client Application

Resource Owner

Using

Application

Resource Server

I Wish I could access my resources through

this application…


105

Client Application

Resource Owner

Using

Application

Resource Server

…but I don’t trust this app enough to give it

my credentials.


Initiation

106

Client Application

Resource Owner Authorization Server

Resource Server

User Agent

Issue GET

request via

User-Agent


Initiation

107

Client Application


Resource Server

User Agent

Issue GET

request via

User-Agent

response_type

client_id

redirect_uri

scope

state

OAuth 2 Authorization Request

response_type – indicates grant type

client_id –application identifier

redirect_uri (optional) – address which the UA can use to respond to client

scope (optional) – space delimited string: what the client wants to do

state (optional)– opaque string used to defeat CSRF attacks

Sample Authorization GET URL:

https://azserver/oauth2/authorize?response_type=code&client_id=my_id&state=state&r

edirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback


Resource Owner Authentication

109

Client Application


Resource Server

User Agent

Send

User

Authentication

Form

?

Authenticate


Authorization

110

Client Application


Resource Server

User Agent

Deliver

Grant

Screen

? ? ?

Approve

Grant

Request


Receipt of Authorization Code

111

Client Application


Resource Server

User Agent

Redirect

User-Agent

Client

Application

! Redirected

To

Client

Application

code

state

302


Access Token Request

112

Client Application


Resource Server

Request

Access

Token Return

Access

Token

and Optional

Refresh Token

grant_type

code

redirect_uri

client_id

200

AZ Code

AZ Code


Access Protected Resource

113

Client Application


Resource Server

Request

Resource

Using

Application

Return

Resource

200

be careful – much can go wrong!


Initiation

115

Client Application


Resource Server

User Agent

Issue GET

request via

User-Agent

response_type

client_id

redirect_uri scope

state


Receipt of Authorization Code

116


Resource Server

User Agent

Redirect

User-Agent

Client

Application

Redirected

To

Client

Application

code

state

302

is this complex?

is this too complex?

a better question:

is this too complex for our developers?

an even better question:

It depends, but it is the best we have today

2 vs. 3 Legged Spectrum

121

Three

legged

Two

legged

Three Legged

122

Client Application Resource Owner

Authorization Server

Resource Server

Two Legged

123

Client Application

Authorization Server

Resource Server

OAuth 2 Challenges

It is a framework

OAuth 2 Challenges

It is complex for the implementer

OpenID Connect

Identity Access

Built on top of OAuth 2

Not tied to any single vendor or identity provider

API

End User

API

End User

?

Client Application

Retrieve User

Information

OpenID

Resource

Server

id_token

Portal

Who is using the API? How are they (mis)using it?

What would happen if the portal was exploited?

Portal

API

Developer

End User

API

Portal

API

Administrator

Where are the components deployed? Who owns the identity store?

Portal

API

is this safe?

http://www.flickr.com/photos/naomi_pincher/3306312873/

Layered Pattern

Security Layer

TLS termination

OAuth and OpenID Connect support

Schema validation

Boundary enforcement

Cryptographic operations

Security mediation

API Gateway

Gateway

API

API

API Management

Portal

Gateway

API

API

Summary:

Old threats still exist

Be aware of new surfaces and threats

Enforce security in an abstracted layer with a gateway

www.apiacademy.co

Visit the Layer 7 booth for information on our gateways and portals!

understanding identity in the world of web apis – ronnie mitra, api architect, layer 7 talk from...

Technology

api attack example

api academy

api security challenge

webmost api design principles

attack surfaces

denial of service attack

buffer overflow attack

uri stylegetputpostdelete