Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure Your REST API

Stormpath
December 01, 2016
Technology
0
190

Secure Your REST API

Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog

Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.

Les will cover:
OAuth2
OAuth Access Tokens
Scoping for Permissions
JWTs
Using JWTs as tokens
Securing JWTs
Authentication, Authorization, and More!

Stormpath

December 01, 2016
Tweet

More Decks by Stormpath

See All by Stormpath
RESTful API Development for ASP.NET Core
stormpath
0
220
Build a REST API for your Mobile Apps in Node
stormpath
0
56
How to Use Stormpath in Angular.js
stormpath
0
150
Beautiful REST+JSON APIs with Ion
stormpath
0
160
Storing User Files with Express, Stormpath, and Amazon S3
stormpath
0
31
Instant Security & Scalable User Management with Spring Boot
stormpath
0
190
Custom Data Search with Stormpath
stormpath
0
41
Browser Security 101
stormpath
0
47
Token Authentication in ASP.NET Core
stormpath
0
85

Other Decks in Technology

See All in Technology
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.3k
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
120
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
910
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590

Featured

See All Featured
Building Your Own Lightsaber
phodgson
103
6.1k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
A Philosophy of Restraint
colly
203
16k
Site-Speed That Sticks
csswizardry
0
25
Scaling GitHub
holman
458
140k
Code Review Best Practice
trishagee
64
17k
Speed Design
sergeychernyshev
25
620
How STYLIGHT went responsive
nonsquared
95
5.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
How to train your dragon (web standard)
notwaldorf
88
5.7k
GitHub's CSS Performance
jonrohan
1030
460k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k

Transcript

  1. REST API Security Les Hazlewood @lhazlewood PMC Chair, Apache Shiro

    Expert Group Member, JEE Application Security (JSR-375) Founder & CTO, Stormpath

  2. About Stormpath • User Management API for Developers • Password

    security • Authentication and Authorization • Multi Tenancy • MFA, SAML, OAuth2 • LDAP & Active Directory Cloud Sync • Instant-on, scalable, and highly available • Free for developers ...

  3. Overview • HTTP Authentication • HTTP Authentication Schemes Comparison •

    API Key Authentication • Token Authentication • Authorization

  4. REST API Focus • Eliminate server state • Secure user

    credentials • Secure server endpoints • Expose access control rules • SPAs and Mobile: ‘Untrusted Clients’

  5. HTTP(S) Authentication & Authorization

  6. Authentication Proving you are who you say you are.

  7. Authorization Ensuring someone is allowed to do what they are

    trying to do.

  8. HTTP Authentication & Authorization • Authorization header • No Custom

    Headers! • Stay spec-standard • No pre-flight CORS requests (browsers) req’d • Custom schemes easily supported

  9. Authorization header How does it work?

  10. Authorization header How does it work? Challenge Response protocol

  11. 1. Request GET /admin HTTP/1.1

  12. 2. Challenge HTTP/1.1 401 Unauthorized WWW-Authenticate: scheme-name <stuff> *multiple schemes

    allowed, typically set as multiple WWW-Authenticate headers

  13. 3. Re-Request GET /admin HTTP/1.1 Authorization: scheme-name <stuff>

  14. Example: HTTP Basic Authentication

  15. 1. Request (Basic) GET /admin HTTP/1.1

  16. 2. Challenge (Basic) HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=“MyApp”

  17. 3. Re-Request (Basic) GET /admin HTTP/1.1 Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

  18. Schemes • Basic • Digest Schemes (OAuth 1.0a) • Bearer

    Token Schemes (OAuth2) • Custom

  19. HTTP Basic

  20. HTTP Basic String value = username + ‘:’ + raw_password

    String schemeValue = base64_encode(value) ... GET /admin HTTP/1.1 Authorization: Basic schemeValue

  21. HTTP Basic Pros: • Very easy to use • Supported

    by everything Cons: • Raw password always transmitted • Easy to leak raw password if not careful (logging) • Susceptible to Man-In-The-Middle attacks • HTTPS *always* required • Client must constantly retain/reference the raw password (server clients usually ok, browser clients not ok)

  22. Digest Schemes

  23. Digest Schemes: Client request.headers[‘Client-Id’] = getMyId() String digest = hmacSha256(request,

    password) request.headers[‘Authorization’] = ‘Foo ‘ + digest send(request)

  24. Digest Schemes: Server String clientId = request.headers[‘Client-Id’] byte[] password =

    lookupPassword(clientId); String serverComputedDigest = hmacSha256(request, password) String val = request.headers[‘Authorization’] String clientSpecifiedDigest = val.remove(‘Foo ‘) if (clientSpecifiedDigest != serverComputedDigest) { sendError(401, response) return } //otherwise request is authenticated

  25. Digest Schemes: OAuth 1.0a example Authorization: OAuth realm="http://sp.example.com/", oauth_consumer_key="0685bd9184jfhq22”, oauth_token="ad180jjd733klru7",

    oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176”

  26. Digest Schemes Pros: • Probably most secure • Password never

    sent over the wire • HTTPS not required (but your data may still require HTTPS) • Can guarantee end-to-end HTTP message authenticity (HTTPS cannot do this) • Not susceptible to Man-In-The-Middle attacks Cons: • Very difficult to design safely • Difficult to understand and use • Difficult to implement libraries • Client needs to retain a constant reference to the password (server clients usually ok, browser clients maybe not?)

  27. Bearer Token Schemes

  28. Bearer Token Schemes Authorization: Bearer opaque-token

  29. Bearer Token Schemes opaque-token can be whatever you want*

  30. Bearer Token Schemes opaque-token can be whatever you want* *should

    always be cryptographically-signed and expire

  31. Bearer Token Schemes: OAuth 2 Example Authorization: Bearer eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3 MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0d

    HA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjft JeZ4CVP-92K27uhbUJU1p1r_wW1gFWFOEjXk

  32. Bearer Token Schemes Pros: • Easier to use than digest

    • De-facto standard token format (JWT) • Can contain state – no server sessions needed • Does not require constant access to the user password Cons: • HTTPS always required, during and always after login (not a big deal nowadays) • Cannot guarantee end-to-end HTTP message authenticity (like digest schemes can) • Susceptible to Man-In-The-Middle attacks • Token creation and renewal workflows can be very complicated and confusing depending on use case (OAuth2 confuses many people). • When used for Browser or Mobile, additional security still required (Origin checks, CSRF- protection, etc) • Token content is not standard – applications can open themselves to attack

  33. Bearer Token Schemes: Session IDs? Session ID cookies are a

    type of bearer token! Set-Cookie: session=dhj7Wkx8fj; secure; HttpOnly Notes: - Same ‘Cons’ as previous slide - Require server state L - Susceptible to CSRF attacks L - Opaque – no meaning for rich clients (SPA, mobile) L - Service Architectures might need a centralized ID de-referencing service L - Can set the secure and HttpOnly flags J - JWTs are better, as we’ll soon see.

  34. Custom Scheme

  35. Custom Scheme • Only if you really, Really, REALLY know

    what you’re doing. Seriously. No, rly. Srsly. • Non-standard, so you essentially must provide your own client libraries.

  36. Custom Scheme • Stormpath has a custom SAUTHC1 digest scheme

    • Authenticates the entire HTTP Message, including the Body (OAuth 1.0a does not) • Uses nonces to prevent replay attacks • Uses key derivation algorithms and HMAC-SHA-256 • We use it for our own SDKs* • If you’re curious: https://github.com/stormpath (search for ‘sauthc1’ in any stormpath-sdk-* project) *Basic still supported for non-SDK clients or ‘weird’ environments

  37. API Key Authentication

  38. API Key Example ID : YLNVXG091ZO1BSANZ5U6DCTIX Secret: ZediwUeDCNl13ldjaFKFQzz0eD13PO931DLAopdeywixaeUAhsip+92iaY

  39. API Keys • Entropy • Password Independent • Scope •

    Speed • Limited Exposure • Traceability

  40. API Keys • Can be thought of as a really

    long username and password pair. • Can be used with any HTTP Authentication Scheme that accepts a username and password: Basic, Digest, OAuth2, etc. • Almost exclusively used for server-to-server communication. • Never embed API Key secrets in untrusted clients like JavaScript or mobile applications.

  41. HTTP Basic with API Key String value = apiKeyId +

    ‘:’ + apiKeySecret String schemeValue = base64_encode(value) ... GET /admin HTTP/1.1 Authorization: Basic schemeValue

  42. Token Authentication

  43. Why not just use Session IDs?

  44. Session ID Problems • They’re opaque and have no meaning

    themselves (they’re just ‘pointers’). • Service-oriented architectures might need a centralized ID de-referencing service

  45. Session ID Problems • Opaque IDs mean clients can’t inspect

    them and find out what it is allowed to do or not - it needs to make more requests for this information. • Susceptible to CSRF attacks

  46. Session ID Problems • Sessions = Server State! • You

    need to store that state somewhere • Session ID à look up server state on *every request*. • Really not good for distributed/clustered apps • Really not good for scale

  47. Token Authentication to the rescue!

  48. How do you get a Token?

  49. Example: your SPA, your server

  50. 1. Token Request POST /token HTTP/1.1 Origin: https://foo.com Content-Type: application/x-www-form-urlencoded

    grant_type=password&username=username&password=password *Assert allowed origin for browser-based apps

  51. 2. Token Response HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store

    Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", “token_type":"example", “expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value” }

  52. 3. Resource Request GET /admin HTTP/1.1 Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA

  53. Example: Token Request using an API Key POST /token HTTP/1.1

    Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&client_id=apiKeyId&client_secret=apiKeyS ecret *Assert allowed origin for browser-based apps

  54. How does the server create a Token?

  55. JSON Web Tokens (JWT) • A URL-safe, compact, self-contained string

    with meaningful information that is usually digitally signed or encrypted. • The string is ‘opaque’ and can be used as a ‘token’. • Many OAuth2 implementations use JWTs as OAuth2 Access Tokens.

  56. JSON Web Tokens (JWT) • You can store them in

    cookies! But all those cookie security rules still apply (CSRF protection, etc). • You can entirely replace your session ID with a JWT.

  57. JSON Web Tokens (JWT) In the wild they look like

    just another ugly string: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJ pc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQo gImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnV lfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEj Xk

  58. JSON Web Tokens (JWT) But they do have a three

    part structure. Each part is a Base64Url-encoded string: eyJ0eXAiOiJKV1QiLA0KICJhb GciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJle HAiOjEzMDA4MTkzODAsDQogIm h0dHA6Ly9leGFtcGxlLmNvbS9 pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU 1p1r_wW1gFWFOEjXk Header Body (‘Claims’) Cryptographic Signature

  59. JSON Web Tokens (JWT) Base64Url-decode the parts to find the

    juicy bits: { "typ":"JWT", "alg":"HS256" } { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } tß´—™à%O˜v+nî…SZu¯µ€U…8H× Header Body (‘Claims’) Cryptographic Signature

  60. JSON Web Tokens (JWT) The claims body is the best

    part! It can tell: { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } Who issued the token

  61. JSON Web Tokens (JWT) The claims body is the best

    part! It can tell: { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } Who issued the token When it expires

  62. JSON Web Tokens (JWT) The claims body is the best

    part! It can tell: { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } Who issued the token When it expires Who it represents

  63. JSON Web Tokens (JWT) The claims body is the best

    part! It can tell: { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } Who issued the token When it expires Who it represents What they can do

  64. JSON Web Tokens (JWT) Great! Why is this useful? •

    Implicitly trusted because it is cryptographically signed (verified not tampered). • It is structured, enabling inter-op between services • It can inform your client about basic access control rules (permissions)* • And the big one: statelessness! *servers must always enforce access control policies

  65. JSON Web Tokens (JWT) So, what’s the catch? • Implicit

    trust is a tradeoff – how long should the token be good for? how will you revoke it? (Another talk: refresh tokens) • You still have to secure your cookies! • You have to be mindful of what you store in the JWT if they are not encrypted. No sensitive info!

  66. Authorization

  67. Authorization • JWT Claims can have whatever you want •

    Use a scope field that contains a list of permissions for that user • Client can inspect the claims and scope and turn on or off features based on permissions* • *Server must always assert permissions

  68. Authorization Failed: 403 HTTP/1.1 403 Forbidden

  69. How do you do it on the JVM? JJWT is

    awesome https://github.com/jwtk/jjwt

  70. How do you do it on the JVM? import io.jsonwebtoken.Jwts;

    import io.jsonwebtoken.SignatureAlgorithm; byte[] key = getSignatureKey(); String jwt = Jwts.builder().setIssuer(“http://trustyapp.com/”) .setSubject(“users/1300819380”) .setExpiration(expirationDate) .put(“scope”, “self api/buy”) .signWith(SignatureAlgorithm.HS256,key) .compact(); Create a JWT:

  71. How do you do it on the JVM? Verify a

    JWT: try { Jws<Claims> jwt = Jwts.parser().setSigningKey(key).parseClaimsJws(jwt); //OK, we can trust this JWT } catch (SignatureException e) { //don't trust the JWT! }

  72. In addition to user authentication and data security, Stormpath can

    handle authentication and authorization for your API, SPA or mobile app. • API Authentication • API Key Management • Authorization • Token Based Authentication • OAuth • JWTs • MFA, SAML, OAuth2 • Multi-Tenancy http://docs.stormpath.com/guides/api-key-management/ Implementations in your Library of choice: https://docs.stormpath.com/home/ Use Stormpath for API Authentication & Security

  73. Follow Us on Twitter @lhazlewood @goStormpath