A presentation at PRDC Deliver Conference in in Winnipeg, MB, Canada by Senthilkumar Gopal
Token based API Security in TEN steps Senthilkumar Gopal
ACME Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter INPUT SANITIZER APPLICATION LOGIC MODEL TRANSFORM @sengopal
A Hero’s (‘real’) story Build an Awesome Mobile App @sengopal
ACME (Not) Fort Knox Web Application CSRF Bot Check Browser Traffic Limiter Input Sanitizer Application Logic Model Transform API Server Mobile App CRUD Operations @sengopal
@sengopal
Web Application vs. APIs “ But no one else knew about the API server “ @sengopal
Web Application vs. APIs source @sengopal
A Hero’s (‘real’) story @sengopal
I need an ‘expert’ @sengopal
First Principles APIs are … Closer to Object Data Model Intended to serve machines instead of real users @sengopal
Example of Web Application vs. APIs @sengopal
Example of Web Application vs. APIs https://developer.ebay.com/api-docs/buy/order/resources/checkout_session/methods/placeOrder#_samples @sengopal
STEP 1 Embrace the standards
How to protect them? Delegated Authorization Delegated Authentication Client Revocability User Control By Chris Messina, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=7188066 @sengopal
How to protect them? @sengopal Source: OAuth2 in Action - By Justin Richer & Antonio Sanso
Typical API Security Workflow Request Proxy Authentication Resource Cache Resource Authorization Rate Limiting @sengopal
Why “Authentication" is important? Authorization @PreAuthorize("hasPermission(#contact, 'admin')") public void deletePermission(Contact contact, Sid recipient, Permission permission); Rate Limiting fs.setPath(“/hi") .requestRateLimiter(MyRL.args(2, 4,AppKeyResolver)) https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html @sengopal
STEP 2 Maintain an extensible token architecture
“If you decide to go and create your own token system, you had best be really smart.” - Stack Overflow source @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity or entities. They are created using various techniques from the field of cryptography.” @sengopal
Entities User Entity Application Entity @sengopal
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough information to identify a particular entity/entities. They are created using various techniques from the field of cryptography.” @sengopal
Cryptography 101 server client private public signature e32d140bc54d @sengopal
STEP 3 Learn the nuances of Cryptography
What is a token? “A token is a piece of data which only a specific authentication server could possibly have created & contains enough data to identify a particular entity. They are created using various techniques from the field of cryptography.” @sengopal
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
LifeCycle - Application Retired App Developer Registered Blocked Generate tokens Active @sengopal
LifeCycle - Tokens App Developer Access Token Resource API Tokens Revoked User Consented Access token Refresh Token Consent Revoked @sengopal
Fitting it all together client Access Token Access-token OAuth /token auth Access Token Access-token Secure Token Server Resource /cart @sengopal
LifeCycle - Purpose Refresh Token Access Token To Generate new Access Token To Access protected Resource Long Lived Short Lived @sengopal
STEP 4 Learn Live the nomenclature
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
Structure ebay AgAAAAAQAAAAaAAAAAE6+EWgnY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6wMkIGkCJCGoA 2dj6x9nY+seQ+/5wK1dskM5/3EOEY7BDg7VHK/CmDimCvVPbtJankHhzJUF8rU876Qzjs google ya29.GltiBRICgroWhf0XJe4nYpzc9UG0Fn_Ghq06_yg3BDZ4EHM_X8rIirEnFUJVb9uawqW2tE9yqfT0KwcaEXLKp7VFpde5v facebook EAACEdEose0cBAJyrAOqIWCAPVobbylB7mZB7X3L0x5BLBosAAm2BDdUnhYKSp7VM9Tpyi8Ehr AD6ZBYZBtymYC5ZBxNv1XrCBngEi0gEWLejezZb0gkArZBkJWcFiVjGcKYy44EY8ZD
Structure Is it just a Are there any random string? standards? JWT SAML @sengopal
Structure - JWT https://jwt.io/ @sengopal
STEP 5 Choose the token format wisely (standards)
Structure - JWT What goes in the claim? https://jwt.io/ @sengopal
Structure - What goes in the claim? client Access Token OAuth /token Access Token Secure Token Server Access-token auth Resource /cart Access-token Everything! @sengopal
Structure - Why everything? tokens Service APIs IS SAME AS User entity App entity issuer issueAt cookies Web Apps expiresAt deviceIdentifier trackingId … @sengopal Photo by Jennifer Pallian on Unsplash
Structure - Versioning We add new attributes everyday. Versioning v1, v1.1, v1.2, v1.3, v2.0, …. User entity App entity issuer issueAt version expiresAt deviceIdentifier trackingId … @sengopal
STEP 6 Capture every identifier possible and use versioning
No! Master! Am I ready yet ? One more important step @sengopal Photo by DeviantArt
Authentication Server - a time tested strategy Life Cycle Structure Persistence @sengopal Photo by Patrick Lindenberg on Unsplash
https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ @sengopal
Security { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" } Integrity Verified Missing Confidentiality Revocation JWT - Claim @sengopal
Security By Value By Reference { "sub": "110169484474386276334", "name": "John Doe", "iss": "https://www.ebay.com", "iat": "1433978353", "exp": "1433981953", "email": "testuser@gmail.com", "email_verified": "true", "given_name": "Test", "family_name": "User", "locale": "en" { “ref”:” AgAAAAAQAAAAaAAAAA**E6+EWg* *nY+sHZ2PrBmdj6wVnY+sEZ2PrA2dj6 wMkIGkCJCGoA2dj6x9nY+seQ+/ 5wK1dskM5/3EOEY7BDg7VHK/ CmDimCvVPbtJankHhzJUF8rU876Qzjs ” } } @sengopal
Security By Value By Reference Integrity Verified Integrity Verified Confidential Custom format * Persisted @sengopal
Fitting them together client Access Token Access-token OAuth /token auth Access Token async AUDIT Access-token Secure Token Server RDBMS Resource /cart App Metadata Server @sengopal
Persistence - Considerations Atomic & Strong Consistency Token Generation of new tokens Token Revocation * @sengopal
Persistence - Considerations Eventually Consistent User - token Auditing Cache duplication @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS App Metadata Server @sengopal
STEP 7 Identify transactional needs
Minimal Token Exposure { "sub": "110169484474386276334", “exp": "14339732223" .... "given_name": "Test", "family_name": “User”, "email": “testuser@gmail.com”, "iat": "14339732223", “scopes": “buy.order item.feed” } @PreAuthorize("hasPermission(#contact, ‘buy.order')") public void buyOrder(Contact contact); @sengopal
STEP 8 Allow only minimal scopes and least expiration time
OWASP Open Web Application Security Project A2 – Broken Authentication and Session Management A10 – Underprotected APIs Reference @sengopal
Fire Drill - Revocation Strategy Token Revocation User Application All @sengopal
Fitting them together client Access Token OAuth /token Access Token async Secure Token Server Access-token auth Resource /cart CACHE AUDIT Access-token RDBMS User & Risk Systems App Metadata Server @sengopal
STEP 9 Audit all access patterns and “be prepared”
Managing the whole show Application Lifecycle Token lifecycle Cryptography artifacts rotation Authorizations registry …. @sengopal
STEP 10 Automate Everything
And the 10 steps are …. Embrace the standards All identifiers & versioning Extensible token architecture Identify transactional needs Nuances of Cryptography Allow only minimal scopes Learn the nomenclature Audit all access patterns Correct token format Automate Everything @sengopal
Thank You! Blogs @ http://sengopal.me Tweets @sengopal Slides and Code @ http://bit.ly/api-token
When it about converting business requirements to code, there are hundreds of best practices and frameworks available for developers to refer to. However, when it is about security for APIs, it is a well guarded secret on how does internet giants tackle their API security. What are there best practices. There are very few in this space who can ascertain to the credibility of their API and Identity assertion systems. This talk targets the uncertainty around the functioning and utility of tokens in an API security landscape. It addresses the basic needs of a token infrastructure and what would it take to build one. This talk aims to help developers embrace security and identity as part of their tool chain and remove the skepticism around building their own API security. The developers should be able to use this discussion as a launchpad for building their own API authentication systems. This is a unique talk as many companies closely guard the secret of how their token infrastructure functions.
The following resources were mentioned during the presentation or are useful additional information.
Here’s what was said about this presentation on social media.
for free. You
can too.