Building an API Security Ecosystem
-
Upload
prabath-siriwardena -
Category
Documents
-
view
876 -
download
0
description
Transcript of Building an API Security Ecosystem
![Page 1: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/1.jpg)
Best Prac*ces in Building an API Security Ecosystem Prabath Siriwardena, Director of Security, WSO2 Twitter : @prabath
![Page 2: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/2.jpg)
Gateway Pattern
![Page 3: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/3.jpg)
Gateway Pattern - Benefits
• Decouple clients from the actual API implementation • No point-‐to-‐point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
![Page 4: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/4.jpg)
Direct Authentication – Internal Users
• HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 1.o : Two Legged OAuth • OAuth 2.o : Client Credentials • NTLM / Kerberos
![Page 5: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/5.jpg)
HTTP Basic Authentication
curl -I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos
§ Creating a GitHub repository
![Page 6: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/6.jpg)
HTTP Digest Authentication
curl -k –-digest –u userName:password -v https://localhost:8443/recipe
HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
![Page 7: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/7.jpg)
HTTP Basic vs. Digest Authentication
![Page 8: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/8.jpg)
TLS Mutual Authentication
§ Gateway itself does the certificate validation § Fine-‐grained access validations can be done by the authorization server.
curl -k --cert client.pem https://localhost:8443/recipe
![Page 9: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/9.jpg)
OAuth 1.0 : Two Legged OAuth
POST /student?name=pavithra HTTP/1.1 Host: server.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="simple", oauth_consumer_key="dsdsddDdsdsds ", oauth_token=" ", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1474343201", oauth_nonce="rerwerweJHKjhkdsjhkhj", oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
![Page 10: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/10.jpg)
OAuth 2.0 : Client Credentials
curl -v -X POST --basic -u 588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b ] -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8” -d "client_id=588997174524690&grant_type=client_credentials" https://graph.facebook.com/oauth/access_token
![Page 11: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/11.jpg)
Kerberos / NTLM
§ Can be implemented as OAuth 2.0 grant types
![Page 12: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/12.jpg)
Auditing / Monitoring
![Page 13: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/13.jpg)
Chained APIs
![Page 14: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/14.jpg)
Decoupling Authorization Server from Resource Server
![Page 15: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/15.jpg)
Decoupling Authorization Server from Resource Server
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
![Page 16: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/16.jpg)
Externalizing Authorization
![Page 17: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/17.jpg)
XACML
![Page 18: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/18.jpg)
OAuth & XACML
§ A given access token has a scope associated with it and it governs the access token’s capabilities
§ A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.
§ token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
![Page 19: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/19.jpg)
XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
![Page 20: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/20.jpg)
XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
![Page 21: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/21.jpg)
Cross-Domain API Access
![Page 22: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/22.jpg)
Cross-Domain API Access
curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa” -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2 bearer&assertion=PHNhbWxwOl...[omitted for brevity]...ZT4" https://localhost:9443/oauth2/token
![Page 23: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/23.jpg)
Centralized Authorization with Distributed Resource Servers
![Page 24: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/24.jpg)
User Managed Access
• PAT (Protection API Token) : Token issued to the Resource Server to access the Protection API (Authorization Server) with the approval of the Resource Owner.
• AAT (Authorization API Token) : Token issued to the Client to access the Authorization API (Authorization Server)..
• RPT (Requesting Party Token) : Token issued to the Client to access the Protected Resource on behalf of the Requesting Party by the Authorization Server.
![Page 25: Building an API Security Ecosystem](https://reader034.fdocuments.in/reader034/viewer/2022050720/54708790b4af9fc30a8b479d/html5/thumbnails/25.jpg)
Contact us !