REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application...

57
REST API Security Jamie Wallace EBSCO LearningExpress

Transcript of REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application...

Page 1: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST API Security

Jamie WallaceEBSCO LearningExpress

Page 2: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Physics

25 Years in Software

Director of Software Development

Page 3: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 4: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 5: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 6: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 7: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST

Page 8: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST

tate

presentational

ransfer

Page 9: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

CRUDHTTP verbs

using

Page 10: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

API keymost web services only use an

Page 11: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

RequestRequestRequest Validator API

Key

Page 12: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Key

Request Validator API

Page 13: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Key

Request

Validator API

Page 14: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 15: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Server Side

Client Side

Page 16: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 17: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 18: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 19: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 20: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 21: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 22: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 23: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 24: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 25: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Single Domain

Multiple Domain

Page 26: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 27: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 28: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Time Periods

Key

HMAC

Page 29: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TOTPTime PeriodsKeyHMAC

Page 30: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

ÇKeyHMAC TOTP

Page 31: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

TOTP

Page 32: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

TOTP

Page 33: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

TOTP

Page 34: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 35: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 36: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Header

Key

HMACPayload

Page 37: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

SignatureKeyPayloadHeaderSignatureHMAC

Page 38: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

KeyPayloadHeaderHMAC Signature

Page 39: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

JWT

Page 40: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

JWT

Page 41: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

JWT

Page 42: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 43: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Application Fingerprint

Page 44: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

JWT with

Signature Service

Page 45: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 46: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 47: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC Hash

Page 48: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Encrypting JWT with

Encryption Service

Page 49: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 50: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 51: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMACEncrypted

or Decrypted String

Page 52: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 53: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 54: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 55: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 56: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 57: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Q & A