API Security : Patterns and Practices

Prabath SiriwardenaDirector of Security ArchitectureWSO2

API Security Patterns and Practices

API Ecosystem

Gateway Pattern

• Decouple clients from the actual API implementation

• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling

Six key attributes of a secured design

• Only legitimate users can access the system (authentication)

• The system won’t allow users to do anything more than what they are supposed to do (authorization)

• Confidential data can only be seen by the intended recipients, nobody else (confidentiality)

• Integrity of the transactions are protected (integrity)• Protected for non-repudiation• They system is available for legitimate users to access,

all the time (availability)

Direct Authentication

• HTTP Basic Authentication• HTTP Digest Authentication• TLS Mutual Authentication• OAuth 2.0 (for authentication ?)

HTTP Basic Authentication

curl -I-u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’-d '{"name": "my_github_repo"}' https://api.github.com/user/repos

Creating a GitHub repository

HTTP Digest Authenticationcurl -k –-digest –u userName:password -v https://localhost:8443/recipe

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

HTTP Basic vs. Digest Authentication

TLS Mutual Authentication

Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server.

curl -k --cert client.pem https://localhost:8443/recipe

OAuth 2.0 (authorization code grant type)

OAuth 2.0 (implicit grant type)

OAuth 2.0 (password grant type)

OAuth 2.0 (client credentials grant type)

OAuth 2.0 (chained grant type)

OAuth 2.0 Tokens Access Tokens

Bearer tokens vs. Mac TLS is a must Pass the access token in the HTTP Authorization header

Authorization: Bearer <token> Pass the access token in as a URL query parameter

Avoid this Request Cache-Control: no-store Response Cache-Control: private E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.

Shorter life-time – in minutes or hours Do not store in cookies Issue scoped tokens

OAuth 2.0 Tokens Refresh Tokens

Must use TLS Long-lasting No refresh tokens under

implicit grant type client credentials grant type SAML grant type JWT grant type

Self-contained Access Tokens

JWT RFC 7519 Encodes claims to be transmitted as a JSON object Can be signed using JWS (JSON Web Signature) Can be encrypted using JWE (JSON Web Encryption) Represented as a sequence of URL-safe parts separated by period

('.') characters. Each part contains a base64url-encoded value

Example eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 .eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

Self-issued Access Tokens

Same as self-contained access tokens Issued by the client itself

Brokered Authentication

• TLS Mutual Authentication• OAuth 2.0

OAuth 2.0 (decoupling end user authentication from the authorization server)

OAuth 2.0 (SAML grant type)

OAuth 2.0 (JWT grant type)

OAuth 2.0 (External Client)

Authorization

XACML

OAuth & XACML

A given access token has a scope associated with it and it governs the access token’s capabilities

A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.

token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities

Token Introspection

POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

token=X3241Affw.4233-99JXJ&resource_id=…

{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}

XACML Policy<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>

XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>

Confidentiality

• TLS• JWE

Integrity

• TLS• JWS

Non-repudiation

• JWS

High Availability

• Network level measures• Throttling• Client level• User level

Thank You