Ten steps for a strong Token based API Security Senthilkumar Gopal
A presentation at Silicon Valley Code Camp in October 2018 in San Jose, CA, USA by Senthilkumar Gopal
Ten steps for a strong Token based API Security Senthilkumar Gopal
ACME Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter INPUT SANITIZER APPLICATION LOGIC MODEL TRANSFORM @sengopal
A Hero’s (‘real’) story Build an Awesome Mobile App @sengopal
ACME (Not) Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter Input Sanitizer Application Logic Model Transform API Server Mobile App CRUD Operations @sengopal
@sengopal
Web Application vs. APIs “ But no one else knew about the API server “ @sengopal
Web Application vs. APIs source @sengopal
A Hero’s (‘real’) story @sengopal
I need an ‘expert’ @sengopal
First Principles APIs are … Closer to Object Data Model Intended to serve machines instead of real users @sengopal
Example of Web Application vs. APIs @sengopal
Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples @sengopal
STEP 1 Embrace the standards
How to protect them? Delegated Authorization Delegated Authentication Client Revocability User Control By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066 @sengopal
How to protect them? @sengopal Source: OAuth2 in Action - By Justin Richer & Antonio Sanso
Typical API Security Workflow Request Proxy Authentication Resource Cache Resource Authorization Rate Limiting @sengopal
Why “Authentication" is important? Authorization @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html @sengopal
STEP 2 Maintain an extensible token architecture
“If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal
Entities User Entity Application Entity @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal
Cryptography 101 server client private public signature e32d140bc54d @sengopal
STEP 3 Learn the nuances of Cryptography
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” @sengopal
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
LifeCycle - Application Retired App Developer Registered Blocked Generate tokens Active @sengopal
LifeCycle - Tokens App Developer Access Token Resource API Tokens Revoked User Consented Access token Refresh Token Consent Revoked @sengopal
Fitting it all together client Access Token Access-token OAuth /token auth Access Token Access-token Secure Token Server Resource /cart @sengopal
LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived @sengopal
STEP 4 Learn Live the nomenclature
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Structure ebay AgAAAAAQAAAAaAAAAAE6+EWgnY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs google ya29.GltiBRICgroWhf0XJe4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD
Structure Is it just a Are there any random string? standards? JWT SAML @sengopal
Structure - JWT https://jwt.io/ @sengopal
STEP 5 Choose the token format wisely (standards)
Structure - JWT What goes in the claim? https://jwt.io/ @sengopal
Structure - What goes in the claim? client Access Token OAuth /token Access Token Secure Token Server Access-token auth Resource /cart Access-token Everything! @sengopal
Structure - Why everything? tokens Service APIs IS SAME AS User entity App entity issuer issueAt cookies Web Apps expiresAt deviceIdentifier trackingId … @sengopal Photo by Jennifer Pallian on Unsplash
Structure - Versioning We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, …. User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … @sengopal
STEP 6 Capture every identifier possible and use versioning
No! Master! Am I ready yet ? One more important step @sengopal Photo by DeviantArt
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ @sengopal
Security { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } Integrity Verified Missing Confidentiality Revocation JWT - Claim @sengopal
Security By Value By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" { “ref”:” AgAAAAAQAAAAaAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” } } @sengopal
Security By Value By Reference Integrity Verified Integrity Verified Confidential Custom format * Persisted @sengopal
Fitting them together client Access Token Access-token OAuth /token auth Access Token async AUDIT Access-token Secure Token Server RDBMS Resource /cart App Metadata Server @sengopal
Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation * @sengopal
Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS App Metadata Server @sengopal
STEP 7 Identify transactional needs
Minimal Token Exposure { "sub": "110169484474386276334", “exp": "14339732223" .... "given_name": "Test", "family_name": “User”, "email": “testuser@gmail.com”, "iat": "14339732223", “scopes": “buy.order item.feed” } @PreAuthorize("hasPermission(#contact, ‘buy.order')") public void buyOrder(Contact contact); @sengopal
STEP 8 Allow only minimal scopes and least expiration time
OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference @sengopal
Fire Drill - Revocation Strategy Token Revocation User Application All @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS User & Risk Systems App Metadata Server @sengopal
STEP 9 Audit all access patterns and “be prepared”
Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry …. @sengopal
STEP 10 Automate Everything
And the 10 steps are …. Embrace the standards All identifiers & versioning Extensible token architecture Identify transactional needs Nuances of Cryptography Allow only minimal scopes Learn the nomenclature Audit all access patterns Correct token format Automate Everything @sengopal
Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://bit.ly/token-sec-svcc
