REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application...

57
REST API Security Jamie Wallace EBSCO LearningExpress

Transcript of REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application...

Page 1: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST API Security

Jamie WallaceEBSCO LearningExpress

Page 2: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Physics

25 Years in Software

Director of Software Development

Page 3: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 4: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 5: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 6: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

What is REST?Security?Solutions

Implementation

Page 7: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST

Page 8: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

REST

tate

presentational

ransfer

Page 9: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

CRUDHTTP verbs

using

Page 10: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

API keymost web services only use an

Page 11: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

RequestRequestRequest Validator API

Key

Page 12: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Key

Request Validator API

Page 13: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Key

Request

Validator API

Page 14: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 15: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Server Side

Client Side

Page 16: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 17: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 18: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 19: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 20: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 21: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 22: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 23: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 24: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 25: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Single Domain

Multiple Domain

Page 26: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

SessionID Header

SessionID Cookie

Validator API

Page 27: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 28: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Time Periods

Key

HMAC

Page 29: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TOTPTime PeriodsKeyHMAC

Page 30: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

ÇKeyHMAC TOTP

Page 31: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

TOTP

Page 32: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

TOTP

Page 33: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

TOTP

Page 34: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 35: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 36: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Header

Key

HMACPayload

Page 37: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

SignatureKeyPayloadHeaderSignatureHMAC

Page 38: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

KeyPayloadHeaderHMAC Signature

Page 39: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

JWT

Page 40: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request Validator API

JWT

Page 41: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

JWT

Page 42: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Request

Validator API

Page 43: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Application Fingerprint

Page 44: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

JWT with

Signature Service

Page 45: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 46: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 47: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC Hash

Page 48: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Encrypting JWT with

Encryption Service

Page 49: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 50: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 51: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMACEncrypted

or Decrypted String

Page 52: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 53: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 54: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 55: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 56: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 57: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC.

Q & A


HOBLink JWT 4.1 Administration Guide - ftp.hob.de - / JWT Plugins/HOBLink... · 2016-04-04 · HOBLink JWT extends and supplements this architecture with central administration, ...

HOBLink JWT 4.1 Administration Guide - ftp.hob.de - / JWT Plugins/HOBLink... · 2016-04-04 · HOBLink JWT extends and supplements this architecture with central administration, ...

JWT Russia Credentials

JWT Russia Credentials

API referencepublic.picturesafe.cloud/picturesafe-search/1.0.1/API-Reference.pdfThe REST API uses JSON Web Tokens (JWT) for authorization. You have to provide a valid JWT in the authorization

API referencepublic.picturesafe.cloud/picturesafe-search/1.0.1/API-Reference.pdfThe REST API uses JSON Web Tokens (JWT) for authorization. You have to provide a valid JWT in the authorization

20081124 jwt trta

20081124 jwt trta

JWT - February 2016

JWT - February 2016

JWT presentation eng_june14

JWT presentation eng_june14

inspecco-20200707112917...2020/05/03  · API 1104, API 650, API 5L, TS EN ISO 5817, TS EN ISO 3452, EN ISO 23277, TS EN 10228-2, TS EN 1371-2, ISO 108934, AWS 01.1, AWS D.1.5, AD

inspecco-20200707112917...2020/05/03  · API 1104, API 650, API 5L, TS EN ISO 5817, TS EN ISO 3452, EN ISO 23277, TS EN 10228-2, TS EN 1371-2, ISO 108934, AWS 01.1, AWS D.1.5, AD

Anxiety Index Pakistan Jwt

Anxiety Index Pakistan Jwt

(Jwt)Nvidia Mcp73 Series_ver10

(Jwt)Nvidia Mcp73 Series_ver10

Jwt anxiety index_uk_aug2011

Jwt anxiety index_uk_aug2011

JWT Copy Test

JWT Copy Test

Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more

Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more

An obesity care patient follow-up system on Smile CDR · REST API med JWT. vj. Patient. vj. Practitioner. IP restrictions. Smile CDR. FHIR API. REST API med JWT. Signicat / BankID.

An obesity care patient follow-up system on Smile CDR · REST API med JWT. vj. Patient. vj. Practitioner. IP restrictions. Smile CDR. FHIR API. REST API med JWT. Signicat / BankID.

JWT for auth and more - Блог компанії InterLink...JWT Registered Claims (payload properties) iss (issuer): Issuer of the JWT sub (subject): Subject of the JWT (the user)

JWT for auth and more - Блог компанії InterLink...JWT Registered Claims (payload properties) iss (issuer): Issuer of the JWT sub (subject): Subject of the JWT (the user)

SIGNA: Species IrisGroupofNorthAmerica 29th Species · PDF fileDMR MIL CRG JWT JHW EHL JPN JWT JWT JWT 95J047 95J048 95J049 95J050 95J051 95J052 95J053 95J054 95J055 95J056 95J057

SIGNA: Species IrisGroupofNorthAmerica 29th Species · PDF fileDMR MIL CRG JWT JHW EHL JPN JWT JWT JWT 95J047 95J048 95J049 95J050 95J051 95J052 95J053 95J054 95J055 95J056 95J057

JWT Kit Kat Presentation

JWT Kit Kat Presentation

JWT Personality Atlas

JWT Personality Atlas

Microservices & JWT

Microservices & JWT

JWT Ukraine Credentials

JWT Ukraine Credentials

Warrior Lacrosse / JWT Advertising

Warrior Lacrosse / JWT Advertising