Best Practices in Building an API Security EcosystemPrabath Siriwardena, Director of Security, WSO2

Twitter : @prabath

About Me

• Director Security @ WSO2• Lead Architect WSO2 Identity Server• Apache Axis PMC Member• Blog : http://blog.facilelogin.com• Twitter : @prabath

Gateway Pattern

Gateway Pattern - Benefits

• Decouple clients from the actual API implementation

• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling

Direct Authentication – Internal Users

• HTTP Basic Authentication• HTTP Digest Authentication• TLS Mutual Authentication• OAuth 1.o : Two Legged OAuth• OAuth 2.o : Client Credentials• NTLM / Kerberos

HTTP Basic Authentication

curl -I-u $GitHubUserName:GitHubPassword -X POST -H 'Content-Type: application/x-www-form-urlencoded’-d '{"name": "my_github_repo"}' https://api.github.com/user/repos

Creating a GitHub repository

HTTP Digest Authentication

curl -k –-digest –u userName:password -v https://localhost:8443/recipe

HTTP/1.1 401 UnauthorizedWWW-Authenticate: Digest realm="cute-cupcakes.com", qop="auth”, nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

Authorization: Digest username="prabath", realm="cute-cupcakes.com", nonce="1390781967182:c2db4ebb26207f6ed38bb08eeffc7422", uri="/recipe", cnonce="MTM5MDc4", nc=00000001, qop="auth", response="f5bfb64ba8596d1b9ad1514702f5a062", opaque="F5288F4526B8EAFFC4AC79F04CA8A6ED"

HTTP Basic vs. Digest Authentication

TLS Mutual Authentication

Gateway itself does the certificate validation Fine-grained access validations can be done by the authorization server.

curl -k --cert client.pem https://localhost:8443/recipe

OAuth 1.0 : Two Legged OAuth

POST /student?name=pavithra HTTP/1.1 Host: server.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="simple", oauth_consumer_key="dsdsddDdsdsds ", oauth_token=" ", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1474343201",oauth_nonce="rerwerweJHKjhkdsjhkhj", oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

OAuth 2.0 : Client Credentials

curl -v -X POST --basic -u 588997174524690:d5cc4d8e01c9bd7ac14b4d5e91006b5b ] -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8” -d "client_id=588997174524690&grant_type=client_credentials" https://graph.facebook.com/oauth/access_token

Kerberos / NTLM

Can be implemented as OAuth 2.0 grant types

Auditing / Monitoring

Chained APIs

Decoupling Authorization Server from Resource Server

Decoupling Authorization Server from Resource Server

POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

token=X3241Affw.4233-99JXJ&resource_id=…

{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}

Externalizing Authorization

XACML

OAuth & XACML

A given access token has a scope associated with it and it governs the access token’s capabilities

A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.

token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities

XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>

XACML Policy

<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>

Cross-Domain API Access

Cross-Domain API Access

curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa” -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2 bearer&assertion=PHNhbWxwOl...[omitted for brevity]...ZT4" https://localhost:9443/oauth2/token

Centralized Authorization with Distributed Resource Servers

User Managed Access

• PAT (Protection API Token) : Token issued to the Resource Server to access the Protection API (Authorization Server) with the approval of the Resource Owner.

• AAT (Authorization API Token) : Token issued to the Client to access the Authorization API (Authorization Server)

• RPT (Requesting Party Token) : Token issued to the Client to access the Protected Resource on behalf of the Requesting Party by the Authorization Server.

Contact us !