A presentation at IBM Index Conference in in San Francisco, CA, USA by Senthilkumar Gopal
Ten steps for Token based API Security Senthilkumar Gopal
ACME Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter INPUT SANITIZER APPLICATION LOGIC MODEL TRANSFORM @sengopal
A Hero’s (‘real’) story Build an Awesome Mobile App @sengopal
ACME (Not) Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter Input Sanitizer Application Logic Model Transform API Server Mobile App CRUD Operations @sengopal
@sengopal | IndexConf2018
Web Application vs. APIs “ But no one else knew about the API server “ @sengopal
Web Application vs. APIs source @sengopal
A Hero’s (‘real’) story @sengopal
I need an ‘expert’ @sengopal | IndexConf2018
First Principles APIs are … Closer to Object Data Model Intended to serve machines instead of real users @sengopal
Example of Web Application vs. APIs @sengopal
Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples @sengopal
STEP 1 Embrace the standards
How to protect them? Delegated Authentication Delegated Authorization Client Revocability User Control Code @ http://bit.ly/ebay-oauth By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066 @sengopal
How to protect them? @sengopal Source: OAuth2 in Action - By Justin Richer & Antonio Sanso
Typical API Security Workflow Request Proxy Authentication Resource Cache Resource Authorization Rate Limiting @sengopal
Why “Authentication" is important? Authorization @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html @sengopal
STEP 2 Maintain an extensible token architecture
“If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source @sengopal | IndexConf2018
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal
Entities User Entity Application Entity @sengopal | IndexConf2018
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal
Cryptography 101 server client private public signature e32d140bc54d @sengopal
STEP 3 Learn the nuances of Cryptography
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” @sengopal
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
LifeCycle - Application Retired App Developer Registered Blocked Generate tokens Active @sengopal
LifeCycle - Tokens App Developer Access Token Resource API Tokens Revoked User Consented Access token Refresh Token Consent Revoked @sengopal
Fitting it all together client Access Token Access-token OAuth /token auth Access Token Access-token Secure Token Server Resource /cart @sengopal
LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived @sengopal
STEP 4 Learn Live the nomenclature
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Structure ebay AgAAAAAQAAAAaAAAAAE6+EWgnY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs google ya29.GltiBRICgroWhf0XJe4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD
Structure Is it just a Are there any random string? standards? JWT SAML @sengopal
Structure - JWT https://jwt.io/ @sengopal
STEP 5 Choose the token format wisely (standards)
Structure - JWT What goes in the claim? https://jwt.io/ @sengopal
Structure - What goes in the claim? client Access Token OAuth /token Access Token Secure Token Server Access-token auth Resource /cart Access-token Everything! @sengopal
Structure - Why everything? tokens Service APIs IS SAME AS User entity App entity issuer issueAt cookies Web Apps expiresAt deviceIdentifier trackingId … @sengopal Photo by Jennifer Pallian on Unsplash
Structure - Versioning We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, …. User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … @sengopal
STEP 6 Capture every identifier possible and use versioning
No! Master! Am I ready yet ? One more important step Photo by DeviantArt @sengopal | IndexConf2018
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Security { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } Integrity Verified Missing Confidentiality Revocation JWT - Claim @sengopal Photo by Samuel Zeller on Unsplash
Security By Value By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" { “ref”:” AgAAAAAQAAAAaAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” } } @sengopal
Security By Value By Reference Integrity Verified Integrity Verified Confidential Custom format * Persisted @sengopal
Fitting them together client Access Token Access-token OAuth /token auth Access Token async AUDIT Access-token Secure Token Server RDBMS Resource /cart App Metadata Server @sengopal
Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation * @sengopal
Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication @sengopal
STEP 7 Identify transactional needs
Performance “Premature optimization is the root of all evil” - Donald Knuth Identify Hot spots Caching in Couchbase @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS App Metadata Server @sengopal
STEP 8 Use caching to get optimal performance
OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS User & Risk Systems App Metadata Server @sengopal
STEP 9 Audit all access patterns
Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry …. @sengopal
STEP 10 Automate Everything
And the 10 steps are …. Embrace the standards All identifiers & versioning Extensible token architecture Identify transactional needs Nuances of Cryptography Use caching Learn the nomenclature Audit all access patterns Correct token format Automate Everything @sengopal
Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://bit.ly/apiworld-token-security
Many developers are well versed with domain based application development. However when it comes to security, there are very few who can ascertain to the credibility of their API and Identity assertion systems. This talk targets the uncertainty around the functioning and utility of tokens in an API security landscape. It addresses the basic needs of a token infrastructure and what would it take to build one. This talk aims to help developers embrace security and identity as part of their tool chain and remove the skepticism around building their own API security. The developers should be able to use this discussion as a launchpad for building their own API authentication systems. This is a unique talk as many companies closely guard the secret of how their token infrastructure functions.,Being the lead architect for eBay Identity and having hand crafted the infrastructure which powers eBay’s entire API stack authentication, Senthilkumar is driving the vision for Identity architecture for the next generation of services and uniquely poised to help developers with the talk to understand the nuances of API security and token infrastructure. He will be providing references to OAuth RFC specifications, OWASP threats and how it is addressed etc.
The following resources were mentioned during the presentation or are useful additional information.
Experimental code to walk through for OAuth 2.0 description
Here’s what was said about this presentation on social media.
for free. You
can too.