Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Modern API Authentication 101

Soulou
January 23, 2018

Modern API Authentication 101

Authentication is something hard but mandatory. It's the process by which an application confirms user identity, and your API security is depending on it. What are today, the available choices for you? This talk approaches modern methods to ensure scalable, stateless, distributed authentication. Forget simple HTTP basic-auth authentication process and embrace OAuth, JWT, and advanced tokens management.

Soulou

January 23, 2018
Tweet

More Decks by Soulou

Other Decks in Technology

Transcript

  1. Scalingo Next-Gen API Authentication - Horizontally scalable - Third-party application

    authentication - Convenient for developers - … Secure obviously
  2. - Great for monoliths - Great for intelligent reverse-proxies -

    No delegation $ curl --user ‘:<token>’ https://api.scalingo.com # HTTP Header: ‘Authorization: Basic base64(token)’ $ curl https://app-name.algolianet.com?x-algolia-api-key=token # /!\ Token in URL, beware of the logs Developers love it! Auth Method #1 - API Tokens
  3. OAuth2 ② token ③ token ④ token + algolia app

    secret ⑤ access token ⑥ OK - authenticated Resource Owner ① algolia app id + user + password + consent Client Auth + Resource server
  4. OAuth2 - Login with GitHub $ POST https://www.algolia.com/auth/github/ → 302

    https://github.com/login/oauth/authorize? client_id=<app_id>& redirect_uri=https://www.algolia.com/auth/github/callback& response_type=code& scope=user:email - Login - Consent of scope
  5. OAuth2 - Login with GitHub # Validate form → 302

    https://www.algolia.com/auth/github/callback? code=<code> ### Server-side $ POST https://github.com/login/oauth/access_token { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token":"<access token>", "scope":"user:email", "token_type":"bearer" } ### Client-side again → 302 https://www.algolia.com/dashboard
  6. Auth Method #2 - OAuth2 → Allow a service to

    query an API What about… authenticating the users themselves?
  7. OAuth2 - Authentication client-server $ POST https://my.scalingo.com/login → 302 https://auth.scalingo.com/login/oauth/authorize?

    client_id=<app_id>& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token → 201 { "access_token": "<access token>", "expires_in": "3600", "token_type": "bearer" }
  8. OAuth2 ② access token Soulou Auth ① user + password

    logs ③ authenticated request Token valid? ③ authenticated request API
  9. OAuth2 ② access token Soulou Auth ① user + password

    logs ③ authenticated request Token valid? ③ authenticated request API
  10. Here comes JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 HEADER: {"alg": "HS512", "typ":

    "JWT"} eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3ODkwIn0K PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} -xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)
  11. Auth Method #3 - OAuth2 + JWT $ POST https://my.scalingo.com/login

    → 302 https://auth.scalingo.com/login/oauth/authorize? client_id=<app_id>& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token& state=<state_token> → 201 { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwg InN1YiI6ICIxMjM0NTY3ODkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM", "expires_in": "3600", "token_type": "bearer" }
  12. ② access token ③ authenticated request Soulou Auth API ①

    user + password logs ③ authenticated request Auth Method #3 - OAuth2 + JWT
  13. JWT Security 101 - Short lifetime (max 1h) - Disable

    NONE algorithm - Rotate secret key eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM HEADER: {"alg": "HS512", "typ": "JWT"} PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)
  14. OAuth2 - Login GitHub done ### Server-side $ POST https://github.com/login/oauth/access_token

    { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token": "<access token>", "scope":"user:email", "token_type":"bearer" }
  15. OAuth2 + JWT - Back to code response type ###

    Server-side $ POST https://auth.scalingo.com/login/oauth/access_token { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token":"<JWT>", "scope":"<scope>", "token_type":"bearer", "expires_in": 3600, "refresh_token": "<revocable refresh token>" }
  16. To take away - API keys: Best developers experience -

    Difficult to distribute - OAuth2: Auth delegation - Standard protocol - OAuth2 + JWT: Distributed validation - Stateless > Methods are not exclusive (ie. GitHub)
  17. References & Credits https://tools.ietf.org/html/rfc6749 - OAuth2 https://tools.ietf.org/html/rfc7519 - JWT https://tools.ietf.org/html/rfc7515

    - JWS (Signature) https://tools.ietf.org/html/rfc7516 - JWE (Encrypted) Icons (licensed CCBY from Noun Project): Icon User: By Tony Wallström, SE Icon Datacenter: By Vectors Market Icon Gears: By Danil Polshin, RU Icon Key: By Andrejs Kirma, LV