Downloaded 58 times
![How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'](https://image.slidesharecdn.com/2014febconfoooauthopenidconnect2-140226220910-phpapp02/75/Securing-RESTful-APIs-using-OAuth-2-and-OpenID-Connect-14-2048.jpg)
![How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'](https://image.slidesharecdn.com/2014febconfoooauthopenidconnect2-140226220910-phpapp02/75/Securing-RESTful-APIs-using-OAuth-2-and-OpenID-Connect-15-2048.jpg)
Uploaded byJonathan LeBlanc
Securing RESTful APIs using OAuth 2 and OpenID Connect
The document outlines the importance of securing RESTful APIs using OAuth 2.0 and OpenID Connect, highlighting the risks related to poor password choices among users. It details key components of API requests, authentication methods, attack vectors, and practical implementation steps for accessing secure resources. The conclusion emphasizes that REST and OAuth are specifications rather than strict rules, and encourages developers to adopt open-source tools and security measures without compromising usability.
Securing RESTful APIs using OAuth 2 and OpenID Connect
- 1. Securing RESTful APIs UsingOAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
- 2. Why do weNeed This?
- 3. Poor Password Choices • 4.7%of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords
- 4. …And of What’sLeft 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name
- 5. Handing Over AccountPasswords
- 6.
- 7.
- 8. App Revoked byUser App Revoked by Service Provider
- 9. Path to theStandard
- 10. Username & Passwordto Auth
- 11. Rise of theToken
- 12. Two Widely UsedSpecifications
- 13.
- 14. How Requests areMade curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
- 15. How Auth isAdded in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
- 16. Attack Vectors Man inthe Middle Replay Attacks Cross-Site Request Forgery (CSRF)
- 17. Adding in theAuth
- 18. Reasons for Auth RateLimiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
- 19. When You NeedAccess Security
- 20.
- 21.
- 22. Redirect the Userto Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
- 23. Fetching the AccessToken Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
- 24. Fetching the AccessToken curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
- 25. Access Token Response { "scope":"https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
- 26. Using the AccessToken Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
- 27. Using the AccessToken curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
- 28.
- 29. Defining APIs withWADL / WSDL
- 30. <?xml version="1.0" encoding="UTF-8"?> <descriptionxmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
- 31. <?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <includehref="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
- 32. Genio (templates) https://github.com/paypal/genio Genio Parser(model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
- 33. Final Considerations REST andOAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
- 34. Thank You! Questions? http://slideshare.net/jcleblanc JonathanLeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal