Tweet
Tweet

Slide 1

Slide 1 text

Token based API Security in TEN steps Senthilkumar Gopal

Slide 2

Slide 2 text

@sengopal ACME Fort Knox Web Application Browser Traffic Limiter Bot Check CSRF INPUT SANITIZER MODEL TRANSFORM APPLICATION LOGIC

Slide 3

Slide 3 text

@sengopal A Hero’s (‘real’) story Build an Awesome Mobile App

Slide 4

Slide 4 text

@sengopal ACME (Not) Fort Knox Web Application API Server Browser Traffic Limiter Bot Check CSRF Input Sanitizer Model Transform Application Logic CRUD Operations Mobile App

Slide 5

Slide 5 text

@sengopal

Slide 6

Slide 6 text

@sengopal Web Application vs. APIs “ But no one else knew about the API server “

Slide 7

Slide 7 text

@sengopal Web Application vs. APIs source

Slide 8

Slide 8 text

@sengopal A Hero’s (‘real’) story

Slide 9

Slide 9 text

@sengopal I need an ‘expert’

Slide 10

Slide 10 text

@sengopal First Principles APIs are … Intended to serve machines instead of real users Closer to Object Data Model

Slide 11

Slide 11 text

@sengopal Example of Web Application vs. APIs

Slide 12

Slide 12 text

@sengopal Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples

Slide 13

Slide 13 text

STEP 1 Embrace the standards

Slide 14

Slide 14 text

@sengopal Delegated Authorization Delegated Authentication Client Revocability User Control How to protect them? By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066

Slide 15

Slide 15 text

@sengopal How to protect them? Source: OAuth2 in Action - By Justin Richer & Antonio Sanso

Slide 16

Slide 16 text

@sengopal Typical API Security Workflow Resource Authentication Authorization Rate Limiting Proxy Resource Cache Request

Slide 17

Slide 17 text

@sengopal Why “Authentication" is important? @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Authorization Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html

Slide 18

Slide 18 text

STEP 2 Maintain an extensible token architecture

Slide 19

Slide 19 text

@sengopal “If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source

Slide 20

Slide 20 text

@sengopal What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.”

Slide 21

Slide 21 text

@sengopal “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” What is a token?

Slide 22

Slide 22 text

@sengopal Entities User Entity Application Entity

Slide 23

Slide 23 text

@sengopal “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?

Slide 24

Slide 24 text

@sengopal Cryptography 101 server private signature e32d140bc54d public client

Slide 25

Slide 25 text

STEP 3 Learn the nuances of Cryptography

Slide 26

Slide 26 text

@sengopal “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” What is a token?

Slide 27

Slide 27 text

@sengopal Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence

Slide 28

Slide 28 text

@sengopal Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence

Slide 29

Slide 29 text

@sengopal LifeCycle - Application Registered App Developer Active Blocked Retired Generate tokens

Slide 30

Slide 30 text

@sengopal LifeCycle - Tokens User Consented App Developer Refresh Token Access token Resource API Access Token Consent Revoked Tokens Revoked

Slide 31

Slide 31 text

@sengopal Fitting it all together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token

Slide 32

Slide 32 text

@sengopal LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived

Slide 33

Slide 33 text

STEP 4 Learn Live the nomenclature

Slide 34

Slide 34 text

@sengopal Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence

Slide 35

Slide 35 text

@sengopal Structure ebay AgAAAA**AQAAAA**aAAAAA**E6+EWg**nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs ya29.GltiBRICgroWhf0XJ- e4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v google facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD https://developers.google.com/oauthplayground https://developers.facebook.com/tools/explorer/ * Tokens edited for brewity https://developer.ebay.com

Slide 36

Slide 36 text

@sengopal Structure JWT Are there any standards? Is it just a random string? SAML

Slide 37

Slide 37 text

@sengopal Structure - JWT https://jwt.io/

Slide 38

Slide 38 text

STEP 5 Choose the token format wisely (standards)

Slide 39

Slide 39 text

@sengopal Structure - JWT https://jwt.io/ What goes in the claim?

Slide 40

Slide 40 text

@sengopal Structure - What goes in the claim? Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token Everything!

Slide 41

Slide 41 text

@sengopal Structure - Why everything? User entity App entity issuer issueAt Photo by Jennifer Pallian on Unsplash Service APIs tokens Web Apps cookies IS SAME AS expiresAt deviceIdentifier trackingId …

Slide 42

Slide 42 text

@sengopal Structure - Versioning User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, ….

Slide 43

Slide 43 text

STEP 6 Capture every identifier possible and use versioning

Slide 44

Slide 44 text

@sengopal Master! Am I ready yet ? No! One more important step Photo by DeviantArt

Slide 45

Slide 45 text

@sengopal Life Cycle Structure Authentication Server - a time tested strategy Photo by Patrick Lindenberg on Unsplash Persistence

Slide 46

Slide 46 text

@sengopal https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/

Slide 47

Slide 47 text

@sengopal Security Integrity Verified { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "[email protected]", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } JWT - Claim Missing Confidentiality Revocation

Slide 48

Slide 48 text

@sengopal Security By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "[email protected]", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } By Value { “ref”:” AgAAAA**AQAAAA**aAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” }

Slide 49

Slide 49 text

@sengopal Security Integrity Verified Integrity Verified Confidential Custom format * By Reference By Value Persisted

Slide 50

Slide 50 text

@sengopal Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS AUDIT async App Metadata Server

Slide 51

Slide 51 text

@sengopal Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation *

Slide 52

Slide 52 text

@sengopal Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication

Slide 53

Slide 53 text

@sengopal Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async App Metadata Server

Slide 54

Slide 54 text

STEP 7 Identify transactional needs

Slide 55

Slide 55 text

@sengopal Minimal Token Exposure { "sub": "110169484474386276334", “exp": "14339732223" .... "given_name": "Test", "family_name": “User”, "email": “[email protected]”, "iat": "14339732223", “scopes": “buy.order item.feed” } @PreAuthorize("hasPermission(#contact, ‘buy.order')") public void buyOrder(Contact contact);

Slide 56

Slide 56 text

STEP 8 Allow only minimal scopes and least expiration time

Slide 57

Slide 57 text

@sengopal OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference

Slide 58

Slide 58 text

@sengopal Fire Drill - Revocation Strategy Token Revocation User Application All

Slide 59

Slide 59 text

@sengopal Fitting them together Resource /cart client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async User & Risk Systems App Metadata Server

Slide 60

Slide 60 text

STEP 9 Audit all access patterns and “be prepared”

Slide 61

Slide 61 text

@sengopal Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry ….

Slide 62

Slide 62 text

STEP 10 Automate Everything

Slide 63

Slide 63 text

@sengopal And the 10 steps are …. Embrace the standards Extensible token architecture Nuances of Cryptography Learn the nomenclature Correct token format All identifiers & versioning Identify transactional needs Allow only minimal scopes Audit all access patterns Automate Everything

Slide 64

Slide 64 text

Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://go.sengopal.me/token