Token based API Security in TEN Steps

A presentation at PRDC Deliver Conference in October 2018 in Winnipeg, MB, Canada by Senthilkumar Gopal

Slide 1

Slide 1

Token based API Security in TEN steps Senthilkumar Gopal

Slide 2

Slide 2

ACME Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter INPUT SANITIZER APPLICATION LOGIC MODEL TRANSFORM @sengopal

Slide 3

Slide 3

A Hero’s (‘real’) story Build an Awesome Mobile App @sengopal

Slide 4

Slide 4

ACME (Not) Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter Input Sanitizer Application Logic Model Transform API Server Mobile App CRUD Operations @sengopal

Slide 5

Slide 5

@sengopal

Slide 6

Slide 6

Web Application vs. APIs “ But no one else knew about the API server “ @sengopal

Slide 7

Slide 7

Web Application vs. APIs source @sengopal

Slide 8

Slide 8

A Hero’s (‘real’) story @sengopal

Slide 9

Slide 9

I need an ‘expert’ @sengopal

Slide 10

Slide 10

First Principles APIs are … Closer to Object Data Model Intended to serve machines instead of real users @sengopal

Slide 11

Slide 11

Example of Web Application vs. APIs @sengopal

Slide 12

Slide 12

Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples @sengopal

Slide 13

Slide 13

STEP 1 Embrace the standards

Slide 14

Slide 14

How to protect them? Delegated Authorization Delegated Authentication Client Revocability User Control By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066 @sengopal

Slide 15

Slide 15

How to protect them? @sengopal Source: OAuth2 in Action - By Justin Richer & Antonio Sanso

Slide 16

Slide 16

Typical API Security Workflow Request Proxy Authentication Resource Cache Resource Authorization Rate Limiting @sengopal

Slide 17

Slide 17

Why “Authentication" is important? Authorization @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html @sengopal

Slide 18

Slide 18

STEP 2 Maintain an extensible token architecture

Slide 19

Slide 19

“If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source @sengopal

Slide 20

Slide 20

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal

Slide 21

Slide 21

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal

Slide 22

Slide 22

Entities User Entity Application Entity @sengopal

Slide 23

Slide 23

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal

Slide 24

Slide 24

Cryptography 101 server client private public signature e32d140bc54d @sengopal

Slide 25

Slide 25

STEP 3 Learn the nuances of Cryptography

Slide 26

Slide 26

What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” @sengopal

Slide 27

Slide 27

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Slide 28

Slide 28

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Slide 29

Slide 29

LifeCycle - Application Retired App Developer Registered Blocked Generate tokens Active @sengopal

Slide 30

Slide 30

LifeCycle - Tokens App Developer Access Token Resource API Tokens Revoked User Consented Access token Refresh Token Consent Revoked @sengopal

Slide 31

Slide 31

Fitting it all together client Access Token Access-token OAuth /token auth Access Token Access-token Secure Token Server Resource /cart @sengopal

Slide 32

Slide 32

LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived @sengopal

Slide 33

Slide 33

STEP 4 Learn Live the nomenclature

Slide 34

Slide 34

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Slide 35

Slide 35

Structure ebay AgAAAAAQAAAAaAAAAAE6+EWgnY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs google ya29.GltiBRICgroWhf0XJe4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD

  • Tokens edited for brewity https://developer.ebay.com https://developers.facebook.com/tools/explorer/ https://developers.google.com/oauthplayground @sengopal

Slide 36

Slide 36

Structure Is it just a Are there any random string? standards? JWT SAML @sengopal

Slide 37

Slide 37

Structure - JWT https://jwt.io/ @sengopal

Slide 38

Slide 38

STEP 5 Choose the token format wisely (standards)

Slide 39

Slide 39

Structure - JWT What goes in the claim? https://jwt.io/ @sengopal

Slide 40

Slide 40

Structure - What goes in the claim? client Access Token OAuth /token Access Token Secure Token Server Access-token auth Resource /cart Access-token Everything! @sengopal

Slide 41

Slide 41

Structure - Why everything? tokens Service APIs IS SAME AS User entity App entity issuer issueAt cookies Web Apps expiresAt deviceIdentifier trackingId … @sengopal Photo by Jennifer Pallian on Unsplash

Slide 42

Slide 42

Structure - Versioning We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, …. User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … @sengopal

Slide 43

Slide 43

STEP 6 Capture every identifier possible and use versioning

Slide 44

Slide 44

No! Master! Am I ready yet ? One more important step @sengopal Photo by DeviantArt

Slide 45

Slide 45

Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash

Slide 46

Slide 46

https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ @sengopal

Slide 47

Slide 47

Security { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } Integrity Verified Missing Confidentiality Revocation JWT - Claim @sengopal

Slide 48

Slide 48

Security By Value By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" { “ref”:” AgAAAAAQAAAAaAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” } } @sengopal

Slide 49

Slide 49

Security By Value By Reference Integrity Verified Integrity Verified Confidential Custom format * Persisted @sengopal

Slide 50

Slide 50

Fitting them together client Access Token Access-token OAuth /token auth Access Token async AUDIT Access-token Secure Token Server RDBMS Resource /cart App Metadata Server @sengopal

Slide 51

Slide 51

Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation * @sengopal

Slide 52

Slide 52

Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication @sengopal

Slide 53

Slide 53

Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS App Metadata Server @sengopal

Slide 54

Slide 54

STEP 7 Identify transactional needs

Slide 55

Slide 55

Minimal Token Exposure { "sub": "110169484474386276334", “exp": "14339732223" .... "given_name": "Test", "family_name": “User”, "email": “testuser@gmail.com”, "iat": "14339732223", “scopes": “buy.order item.feed” } @PreAuthorize("hasPermission(#contact, ‘buy.order')") public void buyOrder(Contact contact); @sengopal

Slide 56

Slide 56

STEP 8 Allow only minimal scopes and least expiration time

Slide 57

Slide 57

OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference @sengopal

Slide 58

Slide 58

Fire Drill - Revocation Strategy Token Revocation User Application All @sengopal

Slide 59

Slide 59

Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS User & Risk Systems App Metadata Server @sengopal

Slide 60

Slide 60

STEP 9 Audit all access patterns and “be prepared”

Slide 61

Slide 61

Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry …. @sengopal

Slide 62

Slide 62

STEP 10 Automate Everything

Slide 63

Slide 63

And the 10 steps are …. Embrace the standards All identifiers & versioning Extensible token architecture Identify transactional needs Nuances of Cryptography Allow only minimal scopes Learn the nomenclature Audit all access patterns Correct token format Automate Everything @sengopal

Slide 64

Slide 64

Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://bit.ly/api-token