Web  API  Security     Pa0erns  &  An4-­‐Pa0erns   Dominick  Baier   h0p://leastprivilege.com   @leastprivilege  

2   @leastprivilege   Dominick  Baier   •  Independent  Consultant     –  Specializing  on  Iden9ty  &  Access  Control     –  Working  with  SoAware  Development  Teams  (ISVs  and  in-­‐house)   •  Creator  and  Maintainer  of  Iden4tyServer  OSS  Project   –  OpenID  Connect  &  OAuth  2.0  Implementa9on  for  OWIN   –  hMp://iden9tyserver.io     [email protected]   h0p://leastprivilege.com  

3   @leastprivilege   PaMerns  &  An9-­‐PaMerns   •  SSL   •  Cookie-­‐based  Authen4ca4on   •  Shared  Secret  Authen4ca4on   •  Token-­‐based  Authen4ca4on   •  Separa4ng  Token  Issuer  and  Business  Logic   •  OAuth  2.0  &  OpenID  Connect   •  Separa4ng  User  Creden4als  from  Client  Applica4ons   •  Federa4on  (Social  &  Enterprise  Iden4ty  Providers)   •  Self-­‐contained  vs  Reference  Tokens   •  Claims   •  Token  Life4me,  Sessions  &  Refresh   •  Revoca4on   •  Authoriza4on   •  401  vs  403  

4   @leastprivilege   The  Big  Picture   Browser   Na4ve  App   Server  App   "Thing"   Web  App   Web  API   Web  API   Web  API   Security  Token     Service  

5   @leastprivilege   SSL  

6   @leastprivilege   Implicit  vs  Explicit  Authen9ca9on   •  Explicit  Authen4ca4on   –  using  an  "explicit"  creden9al   –  typically  authoriza9on  header   –  you  are  in  control   –  cross  domain   •  Implicit  Authen4ca4on   –  browser  based  clients   –  cookies,  basic  authen9ca9on,  client  certs   –  no  control   –  not  cross-­‐domain  

7   @leastprivilege   Server  to  Server  Communica9on   •  Creden4als  transmi0ed  (typically)  via  Authoriza+on   header   •  e.g.  shared  secrets,  signatures,  access  tokens…   Authoriza4on:  scheme  creden4al   GET  /service/resource  

8   @leastprivilege   Token-­‐based  Authen9ca9on   •  "Cookies"  for  APIs   Authoriza4on:  client  creden4al   POST  /sts/token   1     2   Authoriza4on:     GET  /service/resource   3  

9   @leastprivilege   OAuth  2.0   APIs   Authoriza4on  Server   Scopes:  api1,  api2  api3…   client_id=client1,   scope=api1  api2   access  token   access  token  

10   @leastprivilege   Access  Tokens   {      "typ":  "JWT",      "alg":  "RS256"   }   {      "iss":  "http://myIssuer",      "exp":  "1340819380",      "aud":  "http://myResource",      "sub":  "bob",        "client_id":  "client1",      "scope":  ["api1",  "api2"]   }   Header   Claims   eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header   Claims   Signature  

11   @leastprivilege   401  vs  403   RFC  7235:  HTTP  1.1  Authen4ca4on   A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

12   @leastprivilege   Application Login Browser-­‐based  Clients   •  Using  implicit  authen4ca4on   –  e.g.  cookies,  Windows  authen9ca9on,  client  certs...   Pages Web APIs $.ajax  

13   @leastprivilege   CSRF  –  The  Problem   Browser   Tab/Process   Tab/Process   Login,   get  authen9ca9on  cookie   h0p://app.com   h0p://app.com/delete/5   send  authen9ca9on  cookie  

14   @leastprivilege   Example:  Web  API  v1  An9-­‐CSRF   •  Part  of  the  SPA  template  in  MVC  4  (Update  2)   Server   [ValidateHMpAn9ForgeryToken]   render  page  &     an9-­‐forgery  cookie             …   post-­‐back:   cookie  +  hidden  field   Page   web  api  call:   cookie  +  header  

15   @leastprivilege   UserName/Password  Authen9ca9on   •  HTTP  Basic  Authen4ca4on   Authoriza4on:        Basic  base64(username:password)   GET  /service/resource  

16   @leastprivilege   Problems   •  The  client  must  store  the  secret  or  obtain  it  from  the   user  (on  every  request)   –  storage  must  be  done  in  clear  text  (or  reversible   encryp9on)   •  Server  has  to  validate  the  secret  on  every  request   –  high  computa9onal  cost  due  to  brute  force  protec9on   •  The  probability  of  accidental  exposure  of  the  secret  is   increased  

17   @leastprivilege   More  OAuth  2.0  Op9ons   •  Client  deals  with  user  creden4als   –  and  requests  an  access  token  on  behalf  of  user   –  only  for  trusted  clients   –  might  clash  with  exis9ng  external  authen9ca9on   architecture   •  Authoriza4on  Server  (or  OpenID  Connect  Provider)   deals  with  user  creden4als   –  preferred  way   –  centralized  security  logic  &  flow   –  client  will  not  get  to  see  the  creden9als  

18   @leastprivilege   Resource  Owner     Password  Creden9al  Flow   Resource  Owner   Client   Authoriza9on  Server   POST  /token    Authorization:  Basic  (client_id:secret)     grant_type=password&   scope=read&   username=owner&   password=password&  

19   @leastprivilege   Token  Response   Resource  Owner   Client   Authoriza9on  Server   {      "access_token"  :  "abc",      "expires_in"  :  "3600",      "token_type"  :  "Bearer",   }  

20   @leastprivilege   Implicit  Flow   Resource  Owner   Client   GET  /authorize?      client_id=nativeapp&      scope=read&          redirect_uri=http://localhost/cb&      response_type=token&      state=123   Authoriza9on  Server  

21   @leastprivilege   Authen9ca9on  

22   @leastprivilege   Consent  

23   @leastprivilege   TwiMer  Consent  

24   @leastprivilege   Step  1d:  Token  Response   Resource  Owner   Client   GET  /cb#      access_token=abc&      expires_in=3600&      state=123   Authoriza9on  Server  

25   @leastprivilege   Federa9on   w/  Social  &  Enterprise   *  

26   @leastprivilege   Token  Life9me,  Sessions  &  Refresh   Cookie   Life4me?  Sliding?   Access  Token   Life4me?  Sliding?   Revoca4on?   Bob  

27   @leastprivilege   Reference  Tokens   Authoriza4on  Server   a717d415-76b9-4bad a717d415-76b9-4bad validate  token   receive  claims  

28   @leastprivilege   Refresh  Tokens:  Long  lived  API  Access   for  Server-­‐based  Clients   GET  /authorize        ?client_id=app1      &scope=api1  api2  offline_access      &redirect_uri=h0ps://app.com/callback      &response_type=code  

29   @leastprivilege   Response   GET  /callback?code=xj….123  

30   @leastprivilege   Back-­‐channel  Communica9on   code   (client_id:client_secret)   {      access_token:  "xyz…123",      refresh_token:  "dxy…103"      expires_in:  3600,      token_type:  bearer,   }  

31   @leastprivilege   Token  Revoca9on   •  Long-­‐lived  Tokens  should  be  revocable   –  reference  tokens   –  refresh  tokens   /revoke?token=a19..18a  

32   @leastprivilege   Self-­‐Service  Token  Management  

33   @leastprivilege   thank  you!