Downloaded 1,435 times
!["links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]](https://image.slidesharecdn.com/2013octsvcodecampsecurerestapisoauth2-131002134922-phpapp01/75/Securing-RESTful-APIs-using-OAuth-2-and-OpenID-Connect-14-2048.jpg)
Uploaded byJonathan LeBlanc
Securing RESTful APIs using OAuth 2 and OpenID Connect
The document discusses securing RESTful APIs using OAuth 2 and OpenID Connect, highlighting the importance of authentication and authorization mechanisms for user data protection. It covers practical implementation details for fetching and using access tokens, along with various authorization flows and considerations for integrating these security standards without alienating developers. Additionally, it emphasizes the flexibility of REST and OAuth as specifications and provides resource links for further exploration.
Securing RESTful APIs using OAuth 2 and OpenID Connect
- 1. Securing RESTful APIs UsingOAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America
- 2. What We’re Covering AuthHistory and REST Concepts Adding in an Auth Mechanism Integration in Practice (server + client side integrations)
- 3.
- 4. The Ultimate Decision SecurityUsability
- 5. Path to theStandard
- 6.
- 7. Very Secure, Longto Implement
- 8. Two Currently WidelyUsed Specs
- 9.
- 10. What a RESTfulAPI isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
- 11. What a RESTfulAPI is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header
- 12. Does Anyone ActuallyDo That? Very few APIs follow pragmatic REST principles
- 13.
- 14. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel":"self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
- 15.
- 16. Reasons for Auth RateLimiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
- 17. When You NeedAccess Security
- 18. A Few DifferentFlavors of Usage User login (authentication) Application only (bearer tokens) User Involvement (authorization)
- 19.
- 20. Fetching the AccessToken Fetch the Access Token Access Token Endpoint client_id grant_type client_secret HTTP POST Access Token Endpoint
- 21. Fetching the AccessToken curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_KS1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
- 22. Access Token Response { "scope":"https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
- 23. Using the AccessToken Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
- 24. Using the AccessToken curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
- 25. A few implementationdifferences Endpoints Scopes (dynamic / static) Using the Access Token in a request
- 26. OAuth 2 &JavaScript?
- 27. The Complexities ofJavaScript The same-origin policy Keeping private keys private Not having to provide a hacked experience
- 28. The Ways weMade it Work Server-side proxy Flash / iframe proxy Private token storage mechanism
- 29. User Agent Flow:Redirect Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
- 30. User Agent Flow:Redirect Building the redirect link var auth_uri = auth_endpoint + "?response_type=token" + "&client_id=" + client_id + "&scope=profile" + "&redirect_uri=" + window.location; $("#auth_btn").attr("href", auth_uri);
- 31. User Agent Flow:Hash Mod Fetch the Hash Mod access_token refresh_token expires_in Extract Access Token
- 32. User Agent Flow:Hash Mod http://site.com/callback#access_token=rBEGu1FQr5 4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a& expires_in=3600 var hash = document.location.hash; var match = hash.match(/access_token=(w+)/); Extracting the access token from the hash
- 33. User Agent Flow:Get Resources Set Request Headers + URI Resource Endpoint Header: token type + access token Header: accept data type HTTPS Request
- 34. User Agent Flow:Get Resources $.ajax({ url: resource_uri, beforeSend: function (xhr) { xhr.setRequestHeader('Authorization', 'OAuth ' + token); xhr.setRequestHeader('Accept', 'application/json'); }, success: function (response) { //use response object } }); Making an authorized request
- 35.
- 36. How it’s NormallyUsed Access user details Push data through user social streams
- 37. But why? Access tokenas a control structure Improve Existing Products Our showcase: Seamless Checkout
- 38. The Last Considerations RESTand OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
- 39. A Few CodeLinks OAuth2 & OpenID Connect Samples https://github.com/jcleblanc/oauth https://github.com/paypal/paypal-access Log in with PayPal http://bit.ly/loginwithpaypal
- 40. Thank You! Questions? http://slideshare.net/jcleblanc JonathanLeBlanc (@jcleblanc) Head of Developer Evangelism PayPal North America