Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing RESTful APIs using OAuth 2 and OpenID ...

Securing RESTful APIs using OAuth 2 and OpenID Connect

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Jonathan LeBlanc

October 02, 2013
Tweet

More Decks by Jonathan LeBlanc

Other Decks in Technology

Transcript

  1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan

    LeBlanc (@jcleblanc) Head of Developer Evangelism (NA)
  2. What We’re Covering Auth History and REST Concepts Adding in

    an Auth Mechanism Integration in Practice (server + client side integrations)
  3. What a RESTful API isn’t Our API is RESTful, we

    support GET, PUT, POST, and DELETE requests   No…actually you just support HTTP…like the rest of the web.  
  4. What a RESTful API is Honor HTTP request verbs Use

    proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header
  5. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{

    "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
  6. A Few Different Flavors of Usage User login (authentication) Application

    only (bearer tokens) User Involvement (authorization)
  7. Fetching a Code Prepare the Redirect URI Authorization Endpoint client_id

    response_type (code) scope redirect_uri nonce state Browser Redirect Redirect URI
  8. Fetching the Access Token Fetch the Access Token Access Token

    Endpoint client_id code (query string) client_secret grant_type HTTP POST Access Token Endpoint
  9. Making Your Definitions <?php   define("CLIENT_ID",  "YOUR  CLIENT  ID");  

    define("CLIENT_SECRET",  "YOUR  CLIENT  SECRET");       define("URI_SANDBOX",  "h;ps://api.sandbox.paypal.com/v1/");   define("URI_LIVE",  "h;ps://api.paypal.com/v1/");   ?>  
  10. class  paypal{          private  $access_token;    

         private  $token_type;                    public  func1on  __construct(){                  $postvals  =  "grant_type=client_credenWals";                  $uri  =  URI_SANDBOX  .  "oauth2/token";                                    $auth_response  =  self::curl($uri,  'POST',  $postvals,  true);                  $this-­‐>access_token  =  $auth_response['body']-­‐>access_token;                  $this-­‐>token_type  =  $auth_response['body']-­‐>token_type;          }            …   }    
  11. private  func1on  curl($url,  $method  =  'GET',  $postvals  =  null,  $auth

     =  false){        $ch  =  curl_init($url);                          if  ($auth){              $headers  =  array("Accept:  applicaWon/json",                                                                                "Accept-­‐Language:  en_US");              curl_setopt($ch,  CURLOPT_HTTPAUTH,  CURLAUTH_BASIC);              curl_setopt($ch,  CURLOPT_USERPWD,  CLIENT_ID  .  ":"  .CLIENT_SECRET);        }  else  {              $headers  =  array("Content-­‐Type:applicaWon/json",                      "AuthorizaWon:{$this-­‐>token_type}  {$this-­‐>access_token}");        }  
  12. $opWons  =  array(              

       CURLOPT_HEADER  =>  true,                  CURLINFO_HEADER_OUT  =>  true,                  CURLOPT_HTTPHEADER  =>  $headers,                  CURLOPT_RETURNTRANSFER  =>  true,                  CURLOPT_VERBOSE  =>  true,                  CURLOPT_TIMEOUT  =>  10          );                                    if  ($method  ==  'POST'){                  $opWons[CURLOPT_POSTFIELDS]  =  $postvals;                  $opWons[CURLOPT_CUSTOMREQUEST]  =  $method;          }                            curl_setopt_array($ch,  $opWons);                                  $response  =  curl_exec($ch);          return  $response;   }  
  13. Making a Call with the Token public  func1on  process_payment($request){  

           $postvals  =  $request;          $uri  =  URI_SANDBOX  .  "payments/payment";          return  self::curl($uri,  'POST',  $postvals);   }  
  14. User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint

    client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  15. User Agent Flow: Redirect Building the redirect link var auth_uri

    = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
  16. User Agent Flow: Hash Mod Fetch the Hash Mod access_token

    refresh_token expires_in Extract Access Token
  17. User Agent Flow: Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash

    = document.location.hash; var match = hash.match(/access_token=(\w+)/); Extracting the access token from the hash
  18. User Agent Flow: Get Resources Set Request Headers + URI

    Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
  19. User Agent Flow: Get Resources $.ajax({ url: resource_uri, beforeSend: function

    (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request
  20. But why? Access token as a control structure Improve Existing

    Products Our showcase: Seamless Checkout
  21. A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth

    https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal
  22. The Last Considerations REST and OAuth are specifications, not religions

    Don’t alienate your developers with security Open source is your friend