ITANA - Advanced API Security
ITANA - Advanced API Security
ITANA - Advanced API Security
ITANA Group
Nuwan Dias
Architect
22/06/2017
Agenda
●
●
●
●
●
●
●
●
2
HTTP Basic Authentication
3
API Security is about controlling Access
Delegation
4
OAuth2.0
● A Framework that has mastered the art of Access Delegation.
● Depends on SSL/TLS.
● Caters a wide variety of use cases via Grant Types.
5
OAuth2.0
● A Framework that has mastered the art of Access Delegation.
● Depends on SSL/TLS.
● Caters a wide variety of use cases via Grant Types.
6
OAuth2.0
● A Framework that has mastered the art of Access Delegation.
● Depends on SSL/TLS.
● Caters a wide variety of use cases via Grant Types.
7
WSO2 API Security Architecture
https(access_token)
Token
introspection
8
API Authentication - Getting an Access Token
● Access Token Request
curl -k -d "grant_type=password&username=<username>&password=<password>" -H
"Authorization :Basic base64encode(consumer-key:consumer-secret), Content-Type:
application/x-www-form-urlencoded" https://localhost:8243/token
9
API Authorization - Scopes
● A scope defines an action to be performed.
● A scope can be bound to one or many roles/groups.
● A scope can be attached to one or more API Resources.
● Scopes are granted to an access tokens.
● Scopes have to be requested for when requesting for the access token.
10
API Authorization - Scopes
11
API Authorization - Scopes
12
Getting an Access Token with Scope(s)
13
Fine Grained Access Control using Policies
● XACML provides a way to perform policy based fine grained access control
14
XACML Reference Architecture
15
OAuth2.0 - Implicit Grant
● The problem - Javascript Applications aren’t capable of securely storing sensitive
information.
● The solution - The implicit Grant protocol doesn’t require the client application to store
sensitive information nor expects the user to provide credentials to the client application.
● The token is sent in a redirect URL to the browser as a URI fragment. URI Fragments are
not submitted to the server and only accessible by Javascript.
https://myexamplecallback.com/#access_token=asdfwe-asdab243-asn3sl&expires_in=3600
16
OAuth2.0 - Implicit Grant
● Vulnerable to XSS attacks - If the site is vulnerable to XSS, an attacker can steal the token
18
A possible alternative - The split token pattern
Browser Web Server Authorization Server
login(username, password)
token(un, pw, c_id, c_secret)
access_token, refresh_token
19
Split token pattern - Token Validation
Browser API Gateway Authorization Server
Merge 2 values
to form full token
/introspect full_token
20
Securing B2B APIs using OAuth
● The problem - B2B do not have a human interaction. This can result in complications when a
user is required to authenticate himself to get a token.
● The solutions -
○ client_credentials grant - For unique client applications (no resource owner)
○ JWT grant - For reusable client applications with a resource owner
21
client_credentials grant
API Gateway
System 1 - client_id=1
System 2 - client_id=2
22
client_credentials grant
System 1 - client_id=1
resource_owner=john
System 2 - client_id=1
resource_owner=smith
24
JWT
eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0NjEyMzM5ND.OYUJyfR_UhKuPWNJw
{ {
"alg": "RS256" "exp": 1458166985,
} "sub": "john",
"nbf": 1458106985,
"aud": [
"https://localhost:9443/oauth2/token",
"wso2-IS"
],
……...
}
25
JWT Grant
Client Application Authorization Server
26
Data Redaction - Method 1 (Through the
Target Server)
● The API Gateway generates a JWT that contains the user claims and other attributes and
passes this information to the Target Server (back-end) in a special http header.
● The Target Server can use this information to decide which data to be provided in the
response.
27
Data Redaction - Method 2 (Using Policies)
● The API Gateway contacts a PDP to check if the user bears a necessary permission and
determine the final API response based on those facts
API Gateway Target Server
Client Application
Modified Response
PDP
28
Recommended Reading
29
THANK YOU
wso2.com