Slide 1

Slide 1 text

Web  API  Security     Pa0erns  &  An4-­‐Pa0erns   Dominick  Baier   h0p://leastprivilege.com   @leastprivilege  

Slide 2

Slide 2 text

2   @leastprivilege   Dominick  Baier   •  Independent  Consultant     –  Specializing  on  Iden9ty  &  Access  Control     –  Working  with  SoAware  Development  Teams  (ISVs  and  in-­‐house)   •  Creator  and  Maintainer  of  Iden4tyServer  OSS  Project   –  OpenID  Connect  &  OAuth  2.0  Implementa9on  for  OWIN   –  hMp://iden9tyserver.io     [email protected]   h0p://leastprivilege.com  

Slide 3

Slide 3 text

3   @leastprivilege   PaMerns  &  An9-­‐PaMerns   •  SSL   •  Cookie-­‐based  Authen4ca4on   •  Shared  Secret  Authen4ca4on   •  Token-­‐based  Authen4ca4on   •  Separa4ng  Token  Issuer  and  Business  Logic   •  OAuth  2.0  &  OpenID  Connect   •  Separa4ng  User  Creden4als  from  Client  Applica4ons   •  Federa4on  (Social  &  Enterprise  Iden4ty  Providers)   •  Self-­‐contained  vs  Reference  Tokens   •  Claims   •  Token  Life4me,  Sessions  &  Refresh   •  Revoca4on   •  Authoriza4on   •  401  vs  403  

Slide 4

Slide 4 text

4   @leastprivilege   The  Big  Picture   Browser   Na4ve  App   Server  App   "Thing"   Web  App   Web  API   Web  API   Web  API   Security  Token     Service  

Slide 5

Slide 5 text

5   @leastprivilege   SSL  

Slide 6

Slide 6 text

6   @leastprivilege   Implicit  vs  Explicit  Authen9ca9on   •  Explicit  Authen4ca4on   –  using  an  "explicit"  creden9al   –  typically  authoriza9on  header   –  you  are  in  control   –  cross  domain   •  Implicit  Authen4ca4on   –  browser  based  clients   –  cookies,  basic  authen9ca9on,  client  certs   –  no  control   –  not  cross-­‐domain  

Slide 7

Slide 7 text

7   @leastprivilege   Server  to  Server  Communica9on   •  Creden4als  transmi0ed  (typically)  via  Authoriza+on   header   •  e.g.  shared  secrets,  signatures,  access  tokens…   Authoriza4on:  scheme  creden4al   GET  /service/resource  

Slide 8

Slide 8 text

8   @leastprivilege   Token-­‐based  Authen9ca9on   •  "Cookies"  for  APIs   Authoriza4on:  client  creden4al   POST  /sts/token   1     2   Authoriza4on:     GET  /service/resource   3  

Slide 9

Slide 9 text

9   @leastprivilege   OAuth  2.0   APIs   Authoriza4on  Server   Scopes:  api1,  api2  api3…   client_id=client1,   scope=api1  api2   access  token   access  token  

Slide 10

Slide 10 text

10   @leastprivilege   Access  Tokens   {      "typ":  "JWT",      "alg":  "RS256"   }   {      "iss":  "http://myIssuer",      "exp":  "1340819380",      "aud":  "http://myResource",      "sub":  "bob",        "client_id":  "client1",      "scope":  ["api1",  "api2"]   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  

Slide 11

Slide 11 text

11   @leastprivilege   401  vs  403   RFC  7235:  HTTP  1.1  Authen4ca4on   A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

Slide 12

Slide 12 text

12   @leastprivilege   Application Login Browser-­‐based  Clients   •  Using  implicit  authen4ca4on   –  e.g.  cookies,  Windows  authen9ca9on,  client  certs...   Pages Web APIs $.ajax  

Slide 13

Slide 13 text

13   @leastprivilege   CSRF  –  The  Problem   Browser   Tab/Process   Tab/Process   Login,   get  authen9ca9on  cookie   h0p://app.com   h0p://app.com/delete/5   send  authen9ca9on  cookie  

Slide 14

Slide 14 text

14   @leastprivilege   Example:  Web  API  v1  An9-­‐CSRF   •  Part  of  the  SPA  template  in  MVC  4  (Update  2)   Server   [ValidateHMpAn9ForgeryToken]   render  page  &     an9-­‐forgery  cookie             …   post-­‐back:   cookie  +  hidden  field   Page   web  api  call:   cookie  +  header  

Slide 15

Slide 15 text

15   @leastprivilege   UserName/Password  Authen9ca9on   •  HTTP  Basic  Authen4ca4on   Authoriza4on:        Basic  base64(username:password)   GET  /service/resource  

Slide 16

Slide 16 text

16   @leastprivilege   Problems   •  The  client  must  store  the  secret  or  obtain  it  from  the   user  (on  every  request)   –  storage  must  be  done  in  clear  text  (or  reversible   encryp9on)   •  Server  has  to  validate  the  secret  on  every  request   –  high  computa9onal  cost  due  to  brute  force  protec9on   •  The  probability  of  accidental  exposure  of  the  secret  is   increased  

Slide 17

Slide 17 text

17   @leastprivilege   More  OAuth  2.0  Op9ons   •  Client  deals  with  user  creden4als   –  and  requests  an  access  token  on  behalf  of  user   –  only  for  trusted  clients   –  might  clash  with  exis9ng  external  authen9ca9on   architecture   •  Authoriza4on  Server  (or  OpenID  Connect  Provider)   deals  with  user  creden4als   –  preferred  way   –  centralized  security  logic  &  flow   –  client  will  not  get  to  see  the  creden9als  

Slide 18

Slide 18 text

18   @leastprivilege   Resource  Owner     Password  Creden9al  Flow   Resource  Owner   Client   Authoriza9on  Server   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=password&   scope=read&   username=owner&   password=password&  

Slide 19

Slide 19 text

19   @leastprivilege   Token  Response   Resource  Owner   Client   Authoriza9on  Server   {      "access_token"  :  "abc",      "expires_in"  :  "3600",      "token_type"  :  "Bearer",   }  

Slide 20

Slide 20 text

20   @leastprivilege   Implicit  Flow   Resource  Owner   Client   GET  /authorize?      client_id=nativeapp&      scope=read&          redirect_uri=http://localhost/cb&      response_type=token&      state=123   Authoriza9on  Server  

Slide 21

Slide 21 text

21   @leastprivilege   Authen9ca9on  

Slide 22

Slide 22 text

22   @leastprivilege   Consent  

Slide 23

Slide 23 text

23   @leastprivilege   TwiMer  Consent  

Slide 24

Slide 24 text

24   @leastprivilege   Step  1d:  Token  Response   Resource  Owner   Client   GET  /cb#      access_token=abc&      expires_in=3600&      state=123   Authoriza9on  Server  

Slide 25

Slide 25 text

25   @leastprivilege   Federa9on   w/  Social  &  Enterprise   *  

Slide 26

Slide 26 text

26   @leastprivilege   Token  Life9me,  Sessions  &  Refresh   Cookie   Life4me?  Sliding?   Access  Token   Life4me?  Sliding?   Revoca4on?   Bob  

Slide 27

Slide 27 text

27   @leastprivilege   Reference  Tokens   Authoriza4on  Server   a717d415-76b9-4bad a717d415-76b9-4bad validate  token   receive  claims  

Slide 28

Slide 28 text

28   @leastprivilege   Refresh  Tokens:  Long  lived  API  Access   for  Server-­‐based  Clients   GET  /authorize        ?client_id=app1      &scope=api1  api2  offline_access      &redirect_uri=h0ps://app.com/callback      &response_type=code  

Slide 29

Slide 29 text

29   @leastprivilege   Response   GET  /callback?code=xj….123  

Slide 30

Slide 30 text

30   @leastprivilege   Back-­‐channel  Communica9on   code   (client_id:client_secret)   {      access_token:  "xyz…123",      refresh_token:  "dxy…103"      expires_in:  3600,      token_type:  bearer,   }  

Slide 31

Slide 31 text

31   @leastprivilege   Token  Revoca9on   •  Long-­‐lived  Tokens  should  be  revocable   –  reference  tokens   –  refresh  tokens   /revoke?token=a19..18a  

Slide 32

Slide 32 text

32   @leastprivilege   Self-­‐Service  Token  Management  

Slide 33

Slide 33 text

33   @leastprivilege   thank  you!