Ten Steps for Token based API Security

Ten steps for Token based API Security Senthilkumar Gopal

ACME Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter INPUT SANITIZER APPLICATION LOGIC MODEL TRANSFORM @sengopal

A Hero’s (‘real’) story Build an Awesome Mobile App @sengopal

ACME (Not) Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter Input Sanitizer Application Logic Model Transform API Server Mobile App CRUD Operations @sengopal

@sengopal | IndexConf2018

Web Application vs. APIs “ But no one else knew about the API server “ @sengopal

Web Application vs. APIs source @sengopal

A Hero’s (‘real’) story @sengopal

I need an ‘expert’ @sengopal | IndexConf2018

First Principles APIs are … Closer to Object Data Model Intended to serve machines instead of real users @sengopal

Example of Web Application vs. APIs @sengopal

Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples @sengopal

STEP 1 Embrace the standards

How to protect them? Delegated Authentication Delegated Authorization Client Revocability User Control Code @ http://bit.ly/ebay-oauth By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066 @sengopal

How to protect them? @sengopal Source: OAuth2 in Action - By Justin Richer & Antonio Sanso

Typical API Security Workflow Request Proxy Authentication Resource Cache Resource Authorization Rate Limiting @sengopal

Why “Authentication" is important? Authorization @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html @sengopal

STEP 2 Maintain an extensible token architecture

“If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source @sengopal | IndexConf2018

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal

Entities User Entity Application Entity @sengopal | IndexConf2018

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal

Cryptography 101 server client private public signature e32d140bc54d @sengopal

STEP 3 Learn the nuances of Cryptography

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” @sengopal

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

LifeCycle - Application Retired App Developer Registered Blocked Generate tokens Active @sengopal

LifeCycle - Tokens App Developer Access Token Resource API Tokens Revoked User Consented Access token Refresh Token Consent Revoked @sengopal

Fitting it all together client Access Token Access-token OAuth /token auth Access Token Access-token Secure Token Server Resource /cart @sengopal

LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived @sengopal

STEP 4 Learn Live the nomenclature

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Structure ebay AgAAAAAQAAAAaAAAAAE6+EWgnY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs google ya29.GltiBRICgroWhf0XJe4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD

Tokens edited for brewity https://developer.ebay.com https://developers.facebook.com/tools/explorer/ https://developers.google.com/oauthplayground @sengopal

Structure Is it just a Are there any random string? standards? JWT SAML @sengopal

Structure - JWT https://jwt.io/ @sengopal

STEP 5 Choose the token format wisely (standards)

Structure - JWT What goes in the claim? https://jwt.io/ @sengopal

Structure - What goes in the claim? client Access Token OAuth /token Access Token Secure Token Server Access-token auth Resource /cart Access-token Everything! @sengopal

Structure - Why everything? tokens Service APIs IS SAME AS User entity App entity issuer issueAt cookies Web Apps expiresAt deviceIdentifier trackingId … @sengopal Photo by Jennifer Pallian on Unsplash

Structure - Versioning We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, …. User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … @sengopal

STEP 6 Capture every identifier possible and use versioning

No! Master! Am I ready yet ? One more important step Photo by DeviantArt @sengopal | IndexConf2018

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Security { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } Integrity Verified Missing Confidentiality Revocation JWT - Claim @sengopal Photo by Samuel Zeller on Unsplash

Security By Value By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" { “ref”:” AgAAAAAQAAAAaAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” } } @sengopal

Security By Value By Reference Integrity Verified Integrity Verified Confidential Custom format * Persisted @sengopal

Fitting them together client Access Token Access-token OAuth /token auth Access Token async AUDIT Access-token Secure Token Server RDBMS Resource /cart App Metadata Server @sengopal

Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation * @sengopal

Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication @sengopal

STEP 7 Identify transactional needs

Performance “Premature optimization is the root of all evil” - Donald Knuth Identify Hot spots Caching in Couchbase @sengopal

Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS App Metadata Server @sengopal

STEP 8 Use caching to get optimal performance

OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference @sengopal

Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS User & Risk Systems App Metadata Server @sengopal

STEP 9 Audit all access patterns

Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry …. @sengopal

STEP 10 Automate Everything

And the 10 steps are …. Embrace the standards All identifiers & versioning Extensible token architecture Identify transactional needs Nuances of Cryptography Use caching Learn the nomenclature Audit all access patterns Correct token format Automate Everything @sengopal

Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://bit.ly/apiworld-token-security