Downloaded 190 times
!["links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]](https://image.slidesharecdn.com/2013aprimaginesecuringrestapisoauth2-130408012711-phpapp02/75/Securing-RESTful-Payment-APIs-Using-OAuth-2-7-2048.jpg)
![class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; } … }](https://image.slidesharecdn.com/2013aprimaginesecuringrestapisoauth2-130408012711-phpapp02/75/Securing-RESTful-Payment-APIs-Using-OAuth-2-14-2048.jpg)
![$options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response; }](https://image.slidesharecdn.com/2013aprimaginesecuringrestapisoauth2-130408012711-phpapp02/75/Securing-RESTful-Payment-APIs-Using-OAuth-2-16-2048.jpg)
Uploaded byJonathan LeBlanc
Securing RESTful Payment APIs Using OAuth 2
The document discusses securing RESTful payment APIs using OAuth 2, emphasizing the importance of proper HTTP implementations and security measures such as bearer tokens for user authentication and authorization. It provides code examples for accessing PayPal's APIs and highlights best practices for API usability without alienating developers. The presentation concludes with a call for embracing open source tools and encourages further questions.
Securing RESTful Payment APIs Using OAuth 2
- 1. Securing RESTful PaymentAPIs Using OAuth 2 Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc
- 2. The Ultimate Decision Security Usability
- 4. What a RESTfulAPI isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.
- 5. What a RESTfulAPI is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header Double Rainbow: Discovery via HATEOAS
- 6. Does Anyone ActuallyDo That? Very few APIs follow pragmatic REST principles
- 7. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]
- 9. When You NeedAccess Security
- 10. A Few DifferentFlavors of Usage User login (authentication) User Involvement (authorization) Application only (bearer tokens)
- 11. Our App Usage:Bearer Tokens
- 13. Making Your Definitions <?php define("CLIENT_ID", "YOUR CLIENT ID"); define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/"); define("URI_LIVE", "https://api.paypal.com/v1/"); ?>
- 14. class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; } … }
- 15. private function curl($url,$method = 'GET', $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }
- 16. $options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response; }
- 17. Making a Callwith the Token public function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, 'POST', $postvals); }
- 18. The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
- 19. Thank You! Questions? www.slideshare.com/jcleblanc Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc