Prabath Siriwardena, profile picture
Uploaded byPrabath Siriwardena
PPTX, PDF4,718 views

API Security : Patterns and Practices

The document discusses API security patterns and practices. It covers topics like API gateways, authentication methods like basic authentication and OAuth 2.0, authorization with XACML policies, and securing APIs through measures like TLS, JWTs, and throttling to ensure authentication, authorization, confidentiality, integrity, non-repudiation, and availability. Key points covered include the gateway pattern, direct vs brokered authentication, JSON web tokens for self-contained access tokens, and combining OAuth and XACML for fine-grained access control.

Software
Related topics:
API Security Insights
Downloaded 214 times
Prabath Siriwardena Director of Security Architecture WSO2 API Security Patterns and Practices
API Ecosystem
Gateway Pattern • Decouple clients from the actual API implementation • No point-to-point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
Six key attributes of a secured design • Only legitimate users can access the system (authentication) • The system won’t allow users to do anything more than what they are supposed to do (authorization) • Confidential data can only be seen by the intended recipients, nobody else (confidentiality) • Integrity of the transactions are protected (integrity) • Protected for non-repudiation • They system is available for legitimate users to access, all the time (availability)
Direct Authentication • HTTP Basic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 2.0 (for authentication ?)
HTTP Basic Authentication curl -I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos  Creating a GitHub repository
HTTP Digest Authentication curl -k –-digest –u userName:password -v https://localhost:8443/recipe HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED" Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
HTTP Basic vs. Digest Authentication
TLS Mutual Authentication  Gateway itself does the certificate validation  Fine-grained access validations can be done by the authorization server. curl -k --cert client.pem https://localhost:8443/recipe
OAuth 2.0 (authorization code grant type)
OAuth 2.0 (implicit grant type)
OAuth 2.0 (password grant type)
OAuth 2.0 (client credentials grant type)
OAuth 2.0 (chained grant type)
OAuth 2.0 Tokens  AccessTokens  Bearer tokens vs. Mac  TLS is a must  Pass the access token in the HTTP Authorization header  Authorization: Bearer <token>  Pass the access token in as a URL query parameter  Avoid this  Request  Cache-Control: no-store  Response  Cache-Control: private  E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.  Shorter life-time – in minutes or hours  Do not store in cookies  Issue scoped tokens
OAuth 2.0 Tokens  RefreshTokens  Must useTLS  Long-lasting  No refresh tokens under  implicit grant type  client credentials grant type  SAML grant type  JWT grant type
Self-contained Access Tokens  JWT  RFC 7519  Encodes claims to be transmitted as a JSON object  Can be signed using JWS (JSON Web Signature)  Can be encrypted using JWE (JSON Web Encryption)  Represented as a sequence of URL-safe parts separated by period ('.') characters.  Each part contains a base64url-encoded value  Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ .dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Self-issued Access Tokens  Same as self-contained access tokens  Issued by the client itself
Brokered Authentication • TLS Mutual Authentication • OAuth 2.0
OAuth 2.0 (decoupling end user authentication from the authorization server)
OAuth 2.0 (SAML grant type)
OAuth 2.0 (JWT grant type)
OAuth 2.0 (External Client)
Authorization
XACML
OAuth & XACML  A given access token has a scope associated with it and it governs the access token’s capabilities  A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.  token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
Token Introspection POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=… { "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
Confidentiality • TLS • JWE
Integrity • TLS • JWS
Non-repudiation • JWS
High Availability • Network level measures • Throttling • Client level • User level
Thank You

More Related Content

PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PPTX
API Design- Best Practices
byPrakash Bhandari
 
PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
An Introduction to OAuth2
byAaron Parecki
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
API Security Fundamentals
byJosé Haro Peralta
 
API Design- Best Practices
byPrakash Bhandari
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
An Introduction to OAuth 2
byAaron Parecki
 

What's hot

PPTX
Json Web Token - JWT
byPrashant Walke
 
PPTX
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
Azure Application insights - An Introduction
byMatthias Güntert
 
PDF
Implementing OAuth
byleahculver
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PPTX
Spring Boot Tutorial
byNaphachara Rattanawilai
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPTX
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PPTX
introduction about REST API
byAmilaSilva13
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PDF
Applications secure by default
bySecuRing
 
PDF
Token, token... From SAML to OIDC
byShiu-Fun Poon
 
PPTX
OAuth 2
byChrisWood262
 
PDF
What is REST API? REST API Concepts and Examples | Edureka
byEdureka!
 
Json Web Token - JWT
byPrashant Walke
 
IBM: Hey FIDO, Meet Passkey!.pptx
byFIDO Alliance
 
Secure your app with keycloak
byGuy Marom
 
Demystifying OAuth 2.0
byKarl McGuinness
 
OAuth 2.0
byUwe Friedrichsen
 
Azure Application insights - An Introduction
byMatthias Güntert
 
Implementing OAuth
byleahculver
 
OAuth2 + API Security
byAmila Paranawithana
 
OpenID for Verifiable Credentials
byTorsten Lodderstedt
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Spring Boot Tutorial
byNaphachara Rattanawilai
 
API SECURITY
byTubagus Rizky Dharmawan
 
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
Building secure applications with keycloak
byAbhishek Koserwal
 
introduction about REST API
byAmilaSilva13
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
Applications secure by default
bySecuRing
 
Token, token... From SAML to OIDC
byShiu-Fun Poon
 
OAuth 2
byChrisWood262
 
What is REST API? REST API Concepts and Examples | Edureka
byEdureka!
 

Similar to API Security : Patterns and Practices

PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PPTX
Vault - Secret and Key Management
byAnthony Ikeda
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
PPTX
JWT Authentication with AngularJS
byrobertjd
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
PPTX
Authenticating Angular Apps with JWT
byJennifer Estrada
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
Authentication in microservice systems - fsto 2017
byDejan Glozic
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
DataPower Restful API Security
byJagadish Vemugunta
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
PDF
Aplicando controles de segurança em API’s, por Erick Tedeschi
byiMasters
 
PDF
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
PPTX
Microservices Security landscape
bySagara Gunathunga
 
PPTX
Better Together: JWT and Hashi Vault in Modern Apps
byShrivatsa Upadhye
 
PDF
Securing Microservices using Play and Akka HTTP
byRafal Gancarz
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Vault - Secret and Key Management
byAnthony Ikeda
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
JWT Authentication with AngularJS
byrobertjd
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
byFelipe Prado
 
Authenticating Angular Apps with JWT
byJennifer Estrada
 
Securing Web Applications with Token Authentication
byStormpath
 
Authentication in microservice systems - fsto 2017
byDejan Glozic
 
Securing RESTful API
byMuhammad Zbeedat
 
DataPower Restful API Security
byJagadish Vemugunta
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
Aplicando controles de segurança em API’s, por Erick Tedeschi
byiMasters
 
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
Microservices Security landscape
bySagara Gunathunga
 
Better Together: JWT and Hashi Vault in Modern Apps
byShrivatsa Upadhye
 
Securing Microservices using Play and Akka HTTP
byRafal Gancarz
 

More from Prabath Siriwardena

PDF
Microservices Security Landscape
byPrabath Siriwardena
 
PDF
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
PDF
Identity is Eating the World!
byPrabath Siriwardena
 
PPTX
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PDF
GDPR for Identity Architects
byPrabath Siriwardena
 
PDF
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
PDF
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
PDF
Identity Management for Web Application Developers
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PPTX
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
PPTX
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
PPTX
The Evolution of Internet Identity
byPrabath Siriwardena
 
PPTX
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
PPTX
Securing Insecure
byPrabath Siriwardena
 
PPTX
Evolution of Internet Identity
byPrabath Siriwardena
 
Microservices Security Landscape
byPrabath Siriwardena
 
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
Identity is Eating the World!
byPrabath Siriwardena
 
Microservices Security Landscape
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
GDPR for Identity Architects
byPrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
Identity Management for Web Application Developers
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Open Standards in Identity Management
byPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
The Evolution of Internet Identity
byPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
Securing Insecure
byPrabath Siriwardena
 
Evolution of Internet Identity
byPrabath Siriwardena
 

Recently uploaded

PPTX
Chapter02 Types of Operating Systems -rev.pptx
bymaafam660
 
PDF
Top 10 KPIs Every Construction Project Manager Should Track.pdf
byOConstruction
 
PPTX
Chapter01-rev Operating System (OS) is a crucial piece of system software.pptx
bymaafam660
 
PDF
Zoho Arattai Messaging App 2025 End-to-End Encryption and Government Adoption
byEvoluz Global Solutions
 
PPTX
Chapter 1 Database Fundamentals Slides Powerpoint
byahmadfawadazizi1979
 
PDF
MOSIUOA WESI NLP UNIT 1 THIRD SEMESTER AUCE
byMOSIUOA WESI
 
PDF
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
PDF
Exploring Large Language Models for Analyzing and Improving Method Names in S...
byUniversity of Hawai‘i at Mānoa
 
PDF
The Y Combinator, a Lightning Talk from GoLab 2025
byEleanor McHugh
 
PPTX
Comprehensive Work Permit System Software for Contractor Safety
bySHEQ Network Limited
 
PDF
Future-Proofing the PMO - Strategic Portfolio Management for 2026 and Beyond
byOnePlan Solutions
 
PPTX
Structural Bioinformatics...............
byhumairasohaib19
 
PDF
A Gopher's Guide to *NIX Plumbing [workshop remixes!]
byEleanor McHugh
 
PDF
Corcava - All‑in‑one business management and CRM platform.
byKrishnaveniMohan1
 
PDF
Transform Your Vision with Custom Software
byEllocent Labs
 
PDF
Beyond Ranking: Focus on Content and Query Understanding
byDaniel Tunkelang
 
PPTX
Softaken JSON Converter for Smother and Secure JSON files Conversion
byDemetrio Parrilla
 
PDF
Frontdesk Anywhere Alternatives in Thailand — Best Cloud PMS for Small Hotels...
byHotelogix
 
PPTX
All you need is fast feedback loop, fast feedback loop, fast feedback loop is...
byNacho Cougil
 
PDF
Smarter Test Maintenance At Scale, presented by Applitools
byApplitools
 
Chapter02 Types of Operating Systems -rev.pptx
bymaafam660
 
Top 10 KPIs Every Construction Project Manager Should Track.pdf
byOConstruction
 
Chapter01-rev Operating System (OS) is a crucial piece of system software.pptx
bymaafam660
 
Zoho Arattai Messaging App 2025 End-to-End Encryption and Government Adoption
byEvoluz Global Solutions
 
Chapter 1 Database Fundamentals Slides Powerpoint
byahmadfawadazizi1979
 
MOSIUOA WESI NLP UNIT 1 THIRD SEMESTER AUCE
byMOSIUOA WESI
 
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
Exploring Large Language Models for Analyzing and Improving Method Names in S...
byUniversity of Hawai‘i at Mānoa
 
The Y Combinator, a Lightning Talk from GoLab 2025
byEleanor McHugh
 
Comprehensive Work Permit System Software for Contractor Safety
bySHEQ Network Limited
 
Future-Proofing the PMO - Strategic Portfolio Management for 2026 and Beyond
byOnePlan Solutions
 
Structural Bioinformatics...............
byhumairasohaib19
 
A Gopher's Guide to *NIX Plumbing [workshop remixes!]
byEleanor McHugh
 
Corcava - All‑in‑one business management and CRM platform.
byKrishnaveniMohan1
 
Transform Your Vision with Custom Software
byEllocent Labs
 
Beyond Ranking: Focus on Content and Query Understanding
byDaniel Tunkelang
 
Softaken JSON Converter for Smother and Secure JSON files Conversion
byDemetrio Parrilla
 
Frontdesk Anywhere Alternatives in Thailand — Best Cloud PMS for Small Hotels...
byHotelogix
 
All you need is fast feedback loop, fast feedback loop, fast feedback loop is...
byNacho Cougil
 
Smarter Test Maintenance At Scale, presented by Applitools
byApplitools
 
In this document
Powered by AI

Presentation by Prabath Siriwardena on API Security patterns and practices in the API ecosystem.

Describes the Gateway Pattern, which decouples clients from API implementation and centralizes security, auditing, and version control.

Presents six key attributes for secure system design: authentication, authorization, confidentiality, integrity, non-repudiation, and availability.

Outlines various authentication methods including HTTP Basic, Digest, TLS Mutual Authentication and compares Basic vs Digest methods.

Discusses various OAuth 2.0 grant types: authorization code, implicit, password, and client credentials.

Details on Access Tokens, including Bearer tokens, scopes, lifetime management, and Self-contained Access Tokens (JWTs) vs. Self-issued tokens.

Explains brokered authentication using TLS Mutual Authentication and OAuth 2.0, highlighting decoupling authentication.

Further explores OAuth 2.0, focusing on the SAML and JWT grant types and their role in authorization.

Discusses OAuth scopes and their integration with XACML policies for fine-grained access control in delegated authorization.

Presents token introspection sample and XACML policy definitions and requests for managing access control.

Highlights confidentiality, integrity, non-repudiation, and high availability principles crucial for API security.

Closing remarks to the presentation thanking the audience.

API Security : Patterns and Practices

  • 1.
    Prabath Siriwardena Director ofSecurity Architecture WSO2 API Security Patterns and Practices
  • 2.
  • 3.
    Gateway Pattern • Decoupleclients from the actual API implementation • No point-to-point to connection • Centralized security enforcing • Centralized auditing & monitoring • Version controlling
  • 4.
    Six key attributesof a secured design • Only legitimate users can access the system (authentication) • The system won’t allow users to do anything more than what they are supposed to do (authorization) • Confidential data can only be seen by the intended recipients, nobody else (confidentiality) • Integrity of the transactions are protected (integrity) • Protected for non-repudiation • They system is available for legitimate users to access, all the time (availability)
  • 5.
    Direct Authentication • HTTPBasic Authentication • HTTP Digest Authentication • TLS Mutual Authentication • OAuth 2.0 (for authentication ?)
  • 6.
    HTTP Basic Authentication curl-I -u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’ -d '{"name": "my_github_repo"}' https://api.github.com/user/repos  Creating a GitHub repository
  • 7.
    HTTP Digest Authentication curl-k –-digest –u userName:password -v https://localhost:8443/recipe HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED" Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"
  • 8.
    HTTP Basic vs.Digest Authentication
  • 9.
    TLS Mutual Authentication Gateway itself does the certificate validation  Fine-grained access validations can be done by the authorization server. curl -k --cert client.pem https://localhost:8443/recipe
  • 10.
    OAuth 2.0 (authorizationcode grant type)
  • 11.
  • 12.
  • 13.
    OAuth 2.0 (clientcredentials grant type)
  • 14.
    OAuth 2.0 (chainedgrant type)
  • 15.
    OAuth 2.0 Tokens AccessTokens  Bearer tokens vs. Mac  TLS is a must  Pass the access token in the HTTP Authorization header  Authorization: Bearer <token>  Pass the access token in as a URL query parameter  Avoid this  Request  Cache-Control: no-store  Response  Cache-Control: private  E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.  Shorter life-time – in minutes or hours  Do not store in cookies  Issue scoped tokens
  • 16.
    OAuth 2.0 Tokens RefreshTokens  Must useTLS  Long-lasting  No refresh tokens under  implicit grant type  client credentials grant type  SAML grant type  JWT grant type
  • 17.
    Self-contained Access Tokens JWT  RFC 7519  Encodes claims to be transmitted as a JSON object  Can be signed using JWS (JSON Web Signature)  Can be encrypted using JWE (JSON Web Encryption)  Represented as a sequence of URL-safe parts separated by period ('.') characters.  Each part contains a base64url-encoded value  Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ .dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
  • 18.
    Self-issued Access Tokens Same as self-contained access tokens  Issued by the client itself
  • 19.
    Brokered Authentication • TLSMutual Authentication • OAuth 2.0
  • 20.
    OAuth 2.0 (decoupling enduser authentication from the authorization server)
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
    OAuth & XACML A given access token has a scope associated with it and it governs the access token’s capabilities  A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.  token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
  • 27.
    Token Introspection POST /introspectionHTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 token=X3241Affw.4233-99JXJ&resource_id=… { "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/* }
  • 28.
    XACML Policy <Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignatorMustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule> </Policy>
  • 29.
    XACML Request <Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <AttributeAttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes> </Request>
  • 30.
  • 31.
  • 32.
  • 33.
    High Availability • Networklevel measures • Throttling • Client level • User level
  • 34.