Modern API Authentication 101

Transcript

1. Paris API Meetup Jan 2018 Modern API Authentication 101

2. Léo Unbekandt @Soulou CTO, Scalingo

3. Scalingo v1: Single API Token Web dashboard, CLI, other clients

   → same token

4. Scalingo Next-Gen API Authentication Multizone

5. Scalingo Next-Gen API Authentication Microservices

6. Scalingo Next-Gen API Authentication - Horizontally scalable - Third-party application

   authentication - Convenient for developers - … Secure obviously

7. Auth Method #1 - API Tokens Algolia Dashboard

8. Auth Method #1 - API Tokens

9. - Great for monoliths - Great for intelligent reverse-proxies -

   No delegation $ curl --user ‘:<token>’ https://api.scalingo.com # HTTP Header: ‘Authorization: Basic base64(token)’ $ curl https://app-name.algolianet.com?x-algolia-api-key=token # /!\ Token in URL, beware of the logs Developers love it! Auth Method #1 - API Tokens

10. Auth Method #2 - OAuth2

11. Auth Method #2 - OAuth2

12. OAuth2 ② token ③ token ④ token + algolia app

    secret ⑤ access token ⑥ OK - authenticated Resource Owner ① algolia app id + user + password + consent Client Auth + Resource server

13. OAuth2 - Login with GitHub $ POST https://www.algolia.com/auth/github/ → 302

    https://github.com/login/oauth/authorize? client_id=<app_id>& redirect_uri=https://www.algolia.com/auth/github/callback& response_type=code& scope=user:email - Login - Consent of scope

14. OAuth2 - Login with GitHub # Validate form → 302

    https://www.algolia.com/auth/github/callback? code=<code> ### Server-side $ POST https://github.com/login/oauth/access_token { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token":"<access token>", "scope":"user:email", "token_type":"bearer" } ### Client-side again → 302 https://www.algolia.com/dashboard

15. Auth Method #2 - OAuth2 → Allow a service to

    query an API What about… authenticating the users themselves?

16. Auth Method #2 bis ② credentials ③ authenticated request Soulou

    Auth API ① user + password

17. $ POST https://www.algolia.com/auth/github/ → 302 https://github.com/login/oauth/authorize? client_id=<app_id>& redirect_uri=https://www.algolia.com/auth/github/callback& response_type=code& scope=user:email

    OAuth2 - Login with GitHub - Reminder code → is not alone out there

18. OAuth2 - Authentication client-server $ POST https://my.scalingo.com/login → 302 https://auth.scalingo.com/login/oauth/authorize?

    client_id=<app_id>& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token → 201 { "access_token": "<access token>", "expires_in": "3600", "token_type": "bearer" }

19. OAuth2 ② access token Soulou Auth ① user + password

    logs ③ authenticated request Token valid? ③ authenticated request API

20. OAuth2 ② access token Soulou Auth ① user + password

    logs ③ authenticated request Token valid? ③ authenticated request API

21. Here comes JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 HEADER: {"alg": "HS512", "typ":

    "JWT"} eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3ODkwIn0K PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} -xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)

22. Auth Method #3 - OAuth2 + JWT $ POST https://my.scalingo.com/login

    → 302 https://auth.scalingo.com/login/oauth/authorize? client_id=<app_id>& redirect_uri=https://my.scalingo.com/auth/callback& response_type=token& state=<state_token> → 201 { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwg InN1YiI6ICIxMjM0NTY3ODkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM", "expires_in": "3600", "token_type": "bearer" }

23. ② access token ③ authenticated request Soulou Auth API ①

    user + password logs ③ authenticated request Auth Method #3 - OAuth2 + JWT

24. JWT Security 101 - Short lifetime (max 1h) - Disable

    NONE algorithm - Rotate secret key eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOiB5b3VhcmVib3JkZSwgInN1YiI6ICIxMjM0NTY3O DkwIn0K.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM HEADER: {"alg": "HS512", "typ": "JWT"} PAYLOAD: {"exp": 1516641851, "sub": "1234567890"} SIGNATURE: HMACSHA512(base64(header) + "." + base64(payload), secret)

25. OAuth2 - Login GitHub done ### Server-side $ POST https://github.com/login/oauth/access_token

    { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token": "<access token>", "scope":"user:email", "token_type":"bearer" }

26. OAuth2 + JWT - Back to code response type ###

    Server-side $ POST https://auth.scalingo.com/login/oauth/access_token { "client_id": "<client id>", "client_secret": "<client secret>", "code": "<code>", } → 201 { "access_token":"<JWT>", "scope":"<scope>", "token_type":"bearer", "expires_in": 3600, "refresh_token": "<revocable refresh token>" }

27. To take away - API keys: Best developers experience -

    Difficult to distribute - OAuth2: Auth delegation - Standard protocol - OAuth2 + JWT: Distributed validation - Stateless > Methods are not exclusive (ie. GitHub)

28. References & Credits https://tools.ietf.org/html/rfc6749 - OAuth2 https://tools.ietf.org/html/rfc7519 - JWT https://tools.ietf.org/html/rfc7515

    - JWS (Signature) https://tools.ietf.org/html/rfc7516 - JWE (Encrypted) Icons (licensed CCBY from Noun Project): Icon User: By Tony Wallström, SE Icon Datacenter: By Vectors Market Icon Gears: By Danil Polshin, RU Icon Key: By Andrejs Kirma, LV

29. Questions? (Let’s speak about JWT revocation) Léo Unbekandt @Soulou