Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing RESTful APIs using OAuth 2 and OpenID Connect

Jonathan LeBlanc
October 02, 2013
Technology
3
920

Securing RESTful APIs using OAuth 2 and OpenID Connect

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Jonathan LeBlanc

October 02, 2013
Tweet

More Decks by Jonathan LeBlanc

See All by Jonathan LeBlanc
Architecting Developer Relations for a New Development Platform
jcleblanc
0
6
Best practices for application development with Box
jcleblanc
0
6
BoxWorks Developer Training
jcleblanc
0
92
Building Mobile First Experiences on Box Platform
jcleblanc
0
39
Introduction to Box APIs
jcleblanc
1
59
Box Platform Developer Workshop
jcleblanc
2
260
JavaScript App Security: Auth and Identity on the Client
jcleblanc
0
52
Improving Developer Onboarding Through Intelligent Data Insights
jcleblanc
0
44
Better Data with Machine Learning and Serverless
jcleblanc
0
140

Other Decks in Technology

See All in Technology
成長をサポートするピープルマネジメントのやり方
sioncojp
9
1.2k
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
630
Grafana x PagerDuty Better Together
jacopen
1
270
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
1k
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
Cypress or Playwright?
rainerhahnekamp
0
170
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
410
How to do well in consulting–Balkan Ruby 2024
irinanazarova
0
150
データベース03: 関係データモデル
trycycle
0
100
uvを使ってストレスフリーな Python開発をしよう!
r74tech
0
120
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
IaCからAWSに入門した初心者が CloudFormationを通して考えた「AWS操作」の使い分け
maimyyym
1
290

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.8k
Visualization
eitanlees
137
14k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
39
2.5k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
22
6.4k
Documentation Writing (for coders)
carmenintech
60
4k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
Atom: Resistance is Futile
akmur
260
25k
Being A Developer After 40
akosma
67
580k
Optimising Largest Contentful Paint
csswizardry
13
2.4k
Why Our Code Smells
bkeepers
PRO
331
56k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan

    LeBlanc (@jcleblanc) Head of Developer Evangelism (NA)

  2. What We’re Covering Auth History and REST Concepts Adding in

    an Auth Mechanism Integration in Practice (server + client side integrations)

  3. What We Want

  4. The Ultimate Decision Security   Usability  

  5. Path to the Standard

  6. The Insecure, Unmanageable Start

  7. Very Secure, Long to Implement

  8. Two Currently Widely Used Specs

  9. REST Architecture

  10. What a RESTful API isn’t Our API is RESTful, we

    support GET, PUT, POST, and DELETE requests   No…actually you just support HTTP…like the rest of the web.  

  11. What a RESTful API is Honor HTTP request verbs Use

    proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header

  12. Does Anyone Actually Do That? Very few APIs follow pragmatic

    REST principles  

  13. HATEOAS

  14. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{

    "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]

  15. Adding Auth Mechanisms

  16. When You Need Access Security

  17. A Few Different Flavors of Usage User login (authentication) Application

    only (bearer tokens) User Involvement (authorization)

  18. Fetching a Code Prepare the Redirect URI Authorization Endpoint client_id

    response_type (code) scope redirect_uri nonce state Browser Redirect Redirect URI

  19. Fetching the Access Token Fetch the Access Token Access Token

    Endpoint client_id code (query string) client_secret grant_type HTTP POST Access Token Endpoint

  20. A few implementation differences Endpoints Scopes (dynamic / static) Using

    the Access Token in a request

  21. Practical Implementation

  22. Making Your Definitions <?php   define("CLIENT_ID",  "YOUR  CLIENT  ID");  

    define("CLIENT_SECRET",  "YOUR  CLIENT  SECRET");       define("URI_SANDBOX",  "h;ps://api.sandbox.paypal.com/v1/");   define("URI_LIVE",  "h;ps://api.paypal.com/v1/");   ?>  

  23. class  paypal{          private  $access_token;    

         private  $token_type;                    public  func1on  __construct(){                  $postvals  =  "grant_type=client_credenWals";                  $uri  =  URI_SANDBOX  .  "oauth2/token";                                    $auth_response  =  self::curl($uri,  'POST',  $postvals,  true);                  $this-­‐>access_token  =  $auth_response['body']-­‐>access_token;                  $this-­‐>token_type  =  $auth_response['body']-­‐>token_type;          }            …   }    

  24. private  func1on  curl($url,  $method  =  'GET',  $postvals  =  null,  $auth

     =  false){        $ch  =  curl_init($url);                          if  ($auth){              $headers  =  array("Accept:  applicaWon/json",                                                                                "Accept-­‐Language:  en_US");              curl_setopt($ch,  CURLOPT_HTTPAUTH,  CURLAUTH_BASIC);              curl_setopt($ch,  CURLOPT_USERPWD,  CLIENT_ID  .  ":"  .CLIENT_SECRET);        }  else  {              $headers  =  array("Content-­‐Type:applicaWon/json",                      "AuthorizaWon:{$this-­‐>token_type}  {$this-­‐>access_token}");        }  

  25. $opWons  =  array(              

       CURLOPT_HEADER  =>  true,                  CURLINFO_HEADER_OUT  =>  true,                  CURLOPT_HTTPHEADER  =>  $headers,                  CURLOPT_RETURNTRANSFER  =>  true,                  CURLOPT_VERBOSE  =>  true,                  CURLOPT_TIMEOUT  =>  10          );                                    if  ($method  ==  'POST'){                  $opWons[CURLOPT_POSTFIELDS]  =  $postvals;                  $opWons[CURLOPT_CUSTOMREQUEST]  =  $method;          }                            curl_setopt_array($ch,  $opWons);                                  $response  =  curl_exec($ch);          return  $response;   }  

  26. Making a Call with the Token public  func1on  process_payment($request){  

           $postvals  =  $request;          $uri  =  URI_SANDBOX  .  "payments/payment";          return  self::curl($uri,  'POST',  $postvals);   }  

  27. OAuth 2 & JavaScript?

  28. A Little Use Background User login Application only User Involvement

  29. User Agent Flow: Redirect Prepare the Redirect URI Authorization Endpoint

    client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI

  30. User Agent Flow: Redirect Building the redirect link var auth_uri

    = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);

  31. User Agent Flow: Hash Mod Fetch the Hash Mod access_token

    refresh_token expires_in Extract Access Token

  32. User Agent Flow: Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash

    = document.location.hash; var match = hash.match(/access_token=(\w+)/); Extracting the access token from the hash

  33. User Agent Flow: Get Resources Set Request Headers + URI

    Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request

  34. User Agent Flow: Get Resources $.ajax({ url: resource_uri, beforeSend: function

    (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request

  35. Using the Skeleton Key

  36. How it’s Normally Used Access user details Push data through

    user social streams

  37. But why? Access token as a control structure Improve Existing

    Products Our showcase: Seamless Checkout

  38. A Few Code Links OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth

    https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal

  39. The Last Considerations REST and OAuth are specifications, not religions

    Don’t alienate your developers with security Open source is your friend

  40. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Head of Developer

    Evangelism (NA)