Securing RESTful Payment APIs Using OAuth 2

Transcript

1. Using OAuth 2 Securing RESTful Payment APIs Jonathan LeBlanc Principal

   Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Slides: http://slideshare.net/jcleblanc Twitter: @jcleblanc

2. The Ultimate Decision Security   Usability  

3. None

4. What a RESTful API isn’t Our API is RESTful, we

   support GET, PUT, POST, and DELETE requests   No…actually you just support HTTP…like the rest of the web.  

5. What a RESTful API is Honor HTTP request verbs Use

   proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header Double Rainbow: Discovery via HATEOAS

6. Does Anyone Actually Do That? Very few APIs follow pragmatic

   REST principles  

7. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{

   "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
8. None

9. When You Need Access Security

10. A Few Different Flavors of Usage User login (authentication) Application

    only (bearer tokens) User Involvement (authorization)

11. Our App Usage: Bearer Tokens

12. None

13. Making Your Definitions <?php   define("CLIENT_ID",  "YOUR  CLIENT  ID");  

    define("CLIENT_SECRET",  "YOUR  CLIENT  SECRET");       define("URI_SANDBOX",  "h;ps://api.sandbox.paypal.com/v1/");   define("URI_LIVE",  "h;ps://api.paypal.com/v1/");   ?>  

14. class  paypal{          private  $access_token;    

         private  $token_type;                    public  func1on  __construct(){                  $postvals  =  "grant_type=client_credenWals";                  $uri  =  URI_SANDBOX  .  "oauth2/token";                                    $auth_response  =  self::curl($uri,  'POST',  $postvals,  true);                  $this-­‐>access_token  =  $auth_response['body']-­‐>access_token;                  $this-­‐>token_type  =  $auth_response['body']-­‐>token_type;          }            …   }    

15. private  func1on  curl($url,  $method  =  'GET',  $postvals  =  null,  $auth

     =  false){        $ch  =  curl_init($url);                          if  ($auth){              $headers  =  array("Accept:  applicaWon/json",                                                                                "Accept-­‐Language:  en_US");              curl_setopt($ch,  CURLOPT_HTTPAUTH,  CURLAUTH_BASIC);              curl_setopt($ch,  CURLOPT_USERPWD,  CLIENT_ID  .  ":"  .CLIENT_SECRET);        }  else  {              $headers  =  array("Content-­‐Type:applicaWon/json",                      "AuthorizaWon:{$this-­‐>token_type}  {$this-­‐>access_token}");        }  

16. $opWons  =  array(              

       CURLOPT_HEADER  =>  true,                  CURLINFO_HEADER_OUT  =>  true,                  CURLOPT_HTTPHEADER  =>  $headers,                  CURLOPT_RETURNTRANSFER  =>  true,                  CURLOPT_VERBOSE  =>  true,                  CURLOPT_TIMEOUT  =>  10          );                                    if  ($method  ==  'POST'){                  $opWons[CURLOPT_POSTFIELDS]  =  $postvals;                  $opWons[CURLOPT_CUSTOMREQUEST]  =  $method;          }                            curl_setopt_array($ch,  $opWons);                                  $response  =  curl_exec($ch);          return  $response;   }  

17. Making a Call with the Token public  func1on  process_payment($request){  

           $postvals  =  $request;          $uri  =  URI_SANDBOX  .  "payments/payment";          return  self::curl($uri,  'POST',  $postvals);   }  

18. The Last Considerations REST and OAuth are specifications, not religions

    Don’t alienate your developers with security Open source is your friend

19. http://bit.ly/imagine_rest_oauth2 Thank You! Questions? Jonathan LeBlanc Principal Developer Evangelist (PayPal)

    Github: http://github.com/jcleblanc Twitter: @jcleblanc