Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Token based API Security

Token based API Security

When it about converting business requirements to code, there are hundreds of best practices and frameworks available for developers to refer to. However, when it is about security for APIs, it is a well guarded secret on how does internet giants tackle their API security. What are there best practices. There are very few in this space who can ascertain to the credibility of their API and Identity assertion systems. This talk targets the uncertainty around the functioning and utility of tokens in an API security landscape. It addresses the basic needs of a token infrastructure and what would it take to build one. This talk aims to help developers embrace security and identity as part of their tool chain and remove the skepticism around building their own API security. The developers should be able to use this discussion as a launchpad for building their own API authentication systems. This is a unique talk as many companies closely guard the secret of how their token infrastructure functions.

Senthilkumar Gopal

October 30, 2018
Tweet

More Decks by Senthilkumar Gopal

Other Decks in Programming

Transcript

  1. @sengopal ACME Fort Knox Web Application Browser Traffic Limiter Bot

    Check CSRF INPUT SANITIZER MODEL TRANSFORM APPLICATION LOGIC
  2. @sengopal ACME (Not) Fort Knox Web Application API Server Browser

    Traffic Limiter Bot Check CSRF Input Sanitizer Model Transform Application Logic CRUD Operations Mobile App
  3. @sengopal First Principles APIs are … Intended to serve machines

    instead of real users Closer to Object Data Model
  4. @sengopal Delegated Authorization Delegated Authentication Client Revocability User Control How

    to protect them? By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066
  5. @sengopal Why “Authentication" is important? @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact

    contact, Sid recipient, Permission permission); Authorization Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html
  6. @sengopal “If you decide to go and create your own

    token system, you had best be really smart.” - Stack Overflow source
  7. @sengopal What is a token? “A token is a piece

    of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.”
  8. @sengopal “A token is a piece of data which only

    a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” What is a token?
  9. @sengopal “A token is a piece of data which only

    a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” What is a token?
  10. @sengopal “A token is a piece of data which only

    a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” What is a token?
  11. @sengopal Life Cycle Structure Authentication Server - a time tested

    strategy Photo by Patrick Lindenberg on Unsplash Persistence
  12. @sengopal Life Cycle Structure Authentication Server - a time tested

    strategy Photo by Patrick Lindenberg on Unsplash Persistence
  13. @sengopal LifeCycle - Tokens User Consented App Developer Refresh Token

    Access token Resource API Access Token Consent Revoked Tokens Revoked
  14. @sengopal Fitting it all together Resource /cart client OAuth /token

    Access Token Access-token Secure Token Server Access Token auth Access-token
  15. @sengopal LifeCycle - Purpose Refresh Token Access Token To Generate

    new Access Token To Access protected Resource Long Lived Short Lived
  16. @sengopal Life Cycle Structure Authentication Server - a time tested

    strategy Photo by Patrick Lindenberg on Unsplash Persistence
  17. @sengopal Structure - What goes in the claim? Resource /cart

    client OAuth /token Access Token Access-token Secure Token Server Access Token auth Access-token Everything!
  18. @sengopal Structure - Why everything? User entity App entity issuer

    issueAt Photo by Jennifer Pallian on Unsplash Service APIs tokens Web Apps cookies IS SAME AS expiresAt deviceIdentifier trackingId …
  19. @sengopal Structure - Versioning User entity App entity issuer issueAt

    version expiresAt deviceIdentifier trackingId … We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, ….
  20. @sengopal Master! Am I ready yet ? No! One more

    important step Photo by DeviantArt
  21. @sengopal Life Cycle Structure Authentication Server - a time tested

    strategy Photo by Patrick Lindenberg on Unsplash Persistence
  22. @sengopal Security Integrity Verified { "sub": "110169484474386276334", "name": "John Doe",

    "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "[email protected]", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } JWT - Claim Missing Confidentiality Revocation
  23. @sengopal Security By Reference { "sub": "110169484474386276334", "name": "John Doe",

    "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "[email protected]", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } By Value { “ref”:” AgAAAA**AQAAAA**aAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” }
  24. @sengopal Fitting them together Resource /cart client OAuth /token Access

    Token Access-token Secure Token Server Access Token auth Access-token RDBMS AUDIT async App Metadata Server
  25. @sengopal Fitting them together Resource /cart client OAuth /token Access

    Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async App Metadata Server
  26. @sengopal Minimal Token Exposure { "sub": "110169484474386276334", “exp": "14339732223" ....

    "given_name": "Test", "family_name": “User”, "email": “[email protected]”, "iat": "14339732223", “scopes": “buy.order item.feed” } @PreAuthorize("hasPermission(#contact, ‘buy.order')") public void buyOrder(Contact contact);
  27. @sengopal OWASP Open Web Application Security Project A2 – Broken

    Authentication and Session Management A10 – Underprotected APIs Reference
  28. @sengopal Fitting them together Resource /cart client OAuth /token Access

    Token Access-token Secure Token Server Access Token auth Access-token RDBMS CACHE AUDIT async User & Risk Systems App Metadata Server
  29. @sengopal And the 10 steps are …. Embrace the standards

    Extensible token architecture Nuances of Cryptography Learn the nomenclature Correct token format All identifiers & versioning Identify transactional needs Allow only minimal scopes Audit all access patterns Automate Everything