Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing RESTful Payment APIs Using OAuth 2

Securing RESTful Payment APIs Using OAuth 2

Audio from this session is available at https://archive.org/details/rest_apis_with_oauth2

Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this.

In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

Jonathan LeBlanc

April 13, 2013
Tweet

More Decks by Jonathan LeBlanc

Other Decks in Technology

Transcript

  1. Using OAuth 2 Securing RESTful Payment APIs Jonathan LeBlanc Principal

    Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Slides: http://slideshare.net/jcleblanc Twitter: @jcleblanc
  2. What a RESTful API isn’t Our API is RESTful, we

    support GET, PUT, POST, and DELETE requests   No…actually you just support HTTP…like the rest of the web.  
  3. What a RESTful API is Honor HTTP request verbs Use

    proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header Double Rainbow: Discovery via HATEOAS
  4. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{

    "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
  5. A Few Different Flavors of Usage User login (authentication) Application

    only (bearer tokens) User Involvement (authorization)
  6. Making Your Definitions <?php   define("CLIENT_ID",  "YOUR  CLIENT  ID");  

    define("CLIENT_SECRET",  "YOUR  CLIENT  SECRET");       define("URI_SANDBOX",  "h;ps://api.sandbox.paypal.com/v1/");   define("URI_LIVE",  "h;ps://api.paypal.com/v1/");   ?>  
  7. class  paypal{          private  $access_token;    

         private  $token_type;                    public  func1on  __construct(){                  $postvals  =  "grant_type=client_credenWals";                  $uri  =  URI_SANDBOX  .  "oauth2/token";                                    $auth_response  =  self::curl($uri,  'POST',  $postvals,  true);                  $this-­‐>access_token  =  $auth_response['body']-­‐>access_token;                  $this-­‐>token_type  =  $auth_response['body']-­‐>token_type;          }            …   }    
  8. private  func1on  curl($url,  $method  =  'GET',  $postvals  =  null,  $auth

     =  false){        $ch  =  curl_init($url);                          if  ($auth){              $headers  =  array("Accept:  applicaWon/json",                                                                                "Accept-­‐Language:  en_US");              curl_setopt($ch,  CURLOPT_HTTPAUTH,  CURLAUTH_BASIC);              curl_setopt($ch,  CURLOPT_USERPWD,  CLIENT_ID  .  ":"  .CLIENT_SECRET);        }  else  {              $headers  =  array("Content-­‐Type:applicaWon/json",                      "AuthorizaWon:{$this-­‐>token_type}  {$this-­‐>access_token}");        }  
  9. $opWons  =  array(              

       CURLOPT_HEADER  =>  true,                  CURLINFO_HEADER_OUT  =>  true,                  CURLOPT_HTTPHEADER  =>  $headers,                  CURLOPT_RETURNTRANSFER  =>  true,                  CURLOPT_VERBOSE  =>  true,                  CURLOPT_TIMEOUT  =>  10          );                                    if  ($method  ==  'POST'){                  $opWons[CURLOPT_POSTFIELDS]  =  $postvals;                  $opWons[CURLOPT_CUSTOMREQUEST]  =  $method;          }                            curl_setopt_array($ch,  $opWons);                                  $response  =  curl_exec($ch);          return  $response;   }  
  10. Making a Call with the Token public  func1on  process_payment($request){  

           $postvals  =  $request;          $uri  =  URI_SANDBOX  .  "payments/payment";          return  self::curl($uri,  'POST',  $postvals);   }  
  11. The Last Considerations REST and OAuth are specifications, not religions

    Don’t alienate your developers with security Open source is your friend