REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application...

REST API Security

Jamie WallaceEBSCO LearningExpress

Physics

25 Years in Software

Director of Software Development

What is REST?Security?Solutions

Implementation

REST

tate

presentational

ransfer

CRUDHTTP verbs

using

API keymost web services only use an

RequestRequestRequest Validator API

Key

Key

Request Validator API

Key

Request

Validator API

Request

Validator API

Server Side

Client Side

Authorized clientValid and unmodified requestNo replay attacksAll users

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Request

SessionID Header

SessionID Cookie

Validator API

Request

Validator API

Single Domain

Multiple Domain

Request

SessionID Header

SessionID Cookie

Validator API



JSON Web Token

Time Periods

Key

HMAC

TOTPTime PeriodsKeyHMAC

ÇKeyHMAC TOTP


TOTP

Request

Validator API

TOTP

Request

Validator API



JSON Web Token

Header

Key

HMACPayload

SignatureKeyPayloadHeaderSignatureHMAC

KeyPayloadHeaderHMAC Signature


JWT

Request

Validator API

JWT

Request

Validator API

Application Fingerprint

JWT with

Signature Service

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC Hash

Encrypting JWT with

Encryption Service

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMACEncrypted

or Decrypted String

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Documents