REST API Design, Development &
Management
Session 5: API Security
Session 5: API Security
Basic authentication
Token based authentication
Key secret based authentication
API Authorization using OAuth
REST API Design, Development & Management
Recap of API Specification
Q&A
REST API Design, Development & Management
Let’s do the exercise together
● Mini applies for a credit card
● The credit card application have the following attributes: applicant_name*, application_date*, age, salary, status
(approved, rejected)
● On successful application a new credit card account got created (account attributes are: id*, credit_limit*,
available_limit*, account_holder_name*, status* (approved, rejected) ) and a new credit card issued.
● Mini loves to use her new credit card to shop online.
● Every credit card transaction will have the following attributes: transaction_id*, amount*, date*, transaction_type*
(credit, debit), remarks.
● 5th day of every month her statement/bill gets generated. Statement have attributes like: statement_date*,
due_date*, bill_amount*, min_due*.
And the tasks are
1. List all the resources this problem statement can have.
2. Create a new API specification document for this problem statement
a. First define all meta information
b. Second, define all resources/Models
c. Third, define paths for CRUD operations of the following: Credit Card Application,
Credit Card Account, Transaction, Credit Card Statement.
i. Every path should contain: summary, description, tags, parameters (if any),
request, responses (200, 401, 404, 422)
REST API Design, Development & Management
Let’s see an example of custom headers
REST API Design, Development & Management
Introduction to API Security
REST API Design, Development & Management
Application Security
Gateway
REST API Design, Development & Management
Mobile Banking Application
7. Secure Data
6. Transaction
authorised?
5. Who is the
caller of API?
1. Data Theft
2. Data Manipulation
3. Identity Theft
4. DOS attack
REST API Design, Development & Management
Data Security
Data
Protection Integrity
Data at rest(currently present in databases) is outside the scope of REST API
Data in Motion: In the scope for REST API
REST API Design, Development & Management
API Security
Authentication
Authorization
Functional Attacks
REST API Design, Development & Management
Basic Authentication
REST API Design, Development & Management
Basic Authentication
● Base64 Encoded
● User: Password
HTTP Header
Authorization: Encoded-Creds
API Consumer
HTTP Header
200 OK
401 Unauthorized
REST API Design, Development & Management
Basic Authentication Weakness
{Cre
dent
ials}
Credentials on
Phone
api.cowin.gov.in
}
entials
{ Cred
3rd Party apps and
websites HTTP
{Clear text credentials}
REST API Design, Development & Management
Summary of Basic Authentication
Basic Authentication
● Uses basic HTTP Header Authorization.
● Required credentials to be passed in every requests.
● Must be used with HTTPS.
REST API Design, Development & Management
Basic Authentication is part
of standard HTTP
specification
ⓘ Start presenting to display the poll results on this slide.
Which header is used for
Basic Authentication?
ⓘ Start presenting to display the poll results on this slide.
Which one is used in the
Authorization header for
Basic Authentication?
ⓘ Start presenting to display the poll results on this slide.
What are the issue(s) with
Basic Authentication
ⓘ Start presenting to display the poll results on this slide.
The encoding of credentials
in Basic Authentication is:
ⓘ Start presenting to display the poll results on this slide.
You MUST use HTTPs (TLS)
with Basic Authentication?
ⓘ Start presenting to display the poll results on this slide.
Reason for using HTTPs in
ⓘ Start presenting to display the poll results on this slide.
HTTP status code ______ is
sent back from basic auth in
case of failure
ⓘ Start presenting to display the poll results on this slide.
Token Based Authentication & JWT
REST API Design, Development & Management
Token Based Authentication
/token {Credentials}
3rd Party apps and
websites
{Token} api.cowin.gov.in
{Token}
/resource {Token}
REST API Design, Development & Management
Tokens?
Encoded string
● Hashing or private key for encryption.
Eliminates the need of sessions on API
● HTTP Header
● Query Parameters
● Request Body
Issuer can control the validity
● Expiry
● Revocation
REST API Design, Development & Management
JSON Web Tokens
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIx
MjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0Ij
oxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf3
6POk6yJV_adQssw5c
Base64 Base64
Payload
Header Signature
(Registered/Public/Private Claims)
REST API Design, Development & Management
JWT - Header
Header eyJhbGciOiJIUzI1NiIsInR5cCI
6IkpXVCJ9
Type
{
● “JWT” "alg": "HS256",
Base64 "typ": "JWT"
}
Hashing Algorithm
● “HS256”
● “HMAC”
● ...
REST API Design, Development & Management
JWT - Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmF
tZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE
2MjM5MDIyfQ
Payload
(Registered/Public/Private Claims)
{
"sub": "1234567890",
"name": "John Doe",
Base64
"iat": 1516239022
}
Registered Public Private
● iss Issuer e.g. mybank.com ● name ● As agreed upon the
● exp Expiry timestamp ● email consumer &
● nbf Not before timestamp ● phone_number provider
● ... ● ...
REST API Design, Development & Management
JWT - Signature
SflKxwRJSMeKKF2QT
Signature
4fwpMeJf36POk6yJV_
adQssw5c
Hashed
Secret
Base64 Base64
Header + “.” + Payload
REST API Design, Development & Management
Summary of Token based Authentication
● Tokens are encoded string used for authentication
● Tokens may be set to expire
● Tokens may be revoked
REST API Design, Development & Management
Tokens are _________ strings
ⓘ Start presenting to display the poll results on this slide.
JWT stands for _______
ⓘ Start presenting to display the poll results on this slide.
Tokens need to be sent for
all resources that are
___________
ⓘ Start presenting to display the poll results on this slide.
Tokens may be sent by the
consumer in __________ depending
on the API implementation.
ⓘ Start presenting to display the poll results on this slide.
Following is NOT part of the
JWT token
ⓘ Start presenting to display the poll results on this slide.
Which part of JWT is not
base64 encoded?
ⓘ Start presenting to display the poll results on this slide.
Issuer can control the
validity of the tokens?
ⓘ Start presenting to display the poll results on this slide.
Claims are part of the :
ⓘ Start presenting to display the poll results on this slide.
Which one is not a type of
Payload/Claim
ⓘ Start presenting to display the poll results on this slide.
name, email, phone_number
are examples of __________
claim
ⓘ Start presenting to display the poll results on this slide.
Thank you!
See you tomorrow at 10AM
REST API Design, Development & Management