Scribd
Upload
10 views41 pages

Session 5 - REST API Design, Development & Management - API Security

Uploaded by

72 Yash Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views41 pages

Session 5 - REST API Design, Development & Management - API Security

Uploaded by

72 Yash Shinde
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

REST API Design, Development &

Management

Session 5: API Security


Session 5: API Security
Basic authentication

Token based authentication

Key secret based authentication

API Authorization using OAuth

REST API Design, Development & Management


Recap of API Specification
Q&A

REST API Design, Development & Management


Let’s do the exercise together
● Mini applies for a credit card
● The credit card application have the following attributes: applicant_name*, application_date*, age, salary, status
(approved, rejected)
● On successful application a new credit card account got created (account attributes are: id*, credit_limit*,
available_limit*, account_holder_name*, status* (approved, rejected) ) and a new credit card issued.
● Mini loves to use her new credit card to shop online.
● Every credit card transaction will have the following attributes: transaction_id*, amount*, date*, transaction_type*
(credit, debit), remarks.
● 5th day of every month her statement/bill gets generated. Statement have attributes like: statement_date*,
due_date*, bill_amount*, min_due*.

And the tasks are

1. List all the resources this problem statement can have.


2. Create a new API specification document for this problem statement
a. First define all meta information
b. Second, define all resources/Models
c. Third, define paths for CRUD operations of the following: Credit Card Application,
Credit Card Account, Transaction, Credit Card Statement.
i. Every path should contain: summary, description, tags, parameters (if any),
request, responses (200, 401, 404, 422)
REST API Design, Development & Management
Let’s see an example of custom headers

REST API Design, Development & Management


Introduction to API Security

REST API Design, Development & Management


Application Security

Gateway
REST API Design, Development & Management
Mobile Banking Application

7. Secure Data
6. Transaction
authorised?

5. Who is the
caller of API?

1. Data Theft
2. Data Manipulation
3. Identity Theft
4. DOS attack
REST API Design, Development & Management
Data Security
Data

Protection Integrity

Data at rest(currently present in databases) is outside the scope of REST API

Data in Motion: In the scope for REST API

REST API Design, Development & Management


API Security

Authentication

Authorization

Functional Attacks

REST API Design, Development & Management


Basic Authentication

REST API Design, Development & Management


Basic Authentication
● Base64 Encoded
● User: Password

HTTP Header
Authorization: Encoded-Creds

API Consumer
HTTP Header
200 OK
401 Unauthorized

REST API Design, Development & Management


Basic Authentication Weakness

{Cre
dent
ials}

Credentials on
Phone
api.cowin.gov.in
}
entials
{ Cred
3rd Party apps and
websites HTTP
{Clear text credentials}

REST API Design, Development & Management


Summary of Basic Authentication

Basic Authentication
● Uses basic HTTP Header Authorization.
● Required credentials to be passed in every requests.
● Must be used with HTTPS.

REST API Design, Development & Management


Basic Authentication is part
of standard HTTP
specification

ⓘ Start presenting to display the poll results on this slide.


Which header is used for
Basic Authentication?

ⓘ Start presenting to display the poll results on this slide.


Which one is used in the
Authorization header for
Basic Authentication?

ⓘ Start presenting to display the poll results on this slide.


What are the issue(s) with
Basic Authentication

ⓘ Start presenting to display the poll results on this slide.


The encoding of credentials
in Basic Authentication is:

ⓘ Start presenting to display the poll results on this slide.


You MUST use HTTPs (TLS)
with Basic Authentication?

ⓘ Start presenting to display the poll results on this slide.


Reason for using HTTPs in

ⓘ Start presenting to display the poll results on this slide.


HTTP status code ______ is
sent back from basic auth in
case of failure

ⓘ Start presenting to display the poll results on this slide.


Token Based Authentication & JWT

REST API Design, Development & Management


Token Based Authentication

/token {Credentials}

3rd Party apps and


websites
{Token} api.cowin.gov.in

{Token}

/resource {Token}

REST API Design, Development & Management


Tokens?
Encoded string
● Hashing or private key for encryption.

Eliminates the need of sessions on API


● HTTP Header
● Query Parameters
● Request Body

Issuer can control the validity


● Expiry
● Revocation

REST API Design, Development & Management


JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIx
MjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0Ij
oxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf3
6POk6yJV_adQssw5c

Base64 Base64

Payload
Header Signature
(Registered/Public/Private Claims)

REST API Design, Development & Management


JWT - Header
Header eyJhbGciOiJIUzI1NiIsInR5cCI
6IkpXVCJ9
Type
{
● “JWT” "alg": "HS256",
Base64 "typ": "JWT"
}
Hashing Algorithm
● “HS256”
● “HMAC”
● ...

REST API Design, Development & Management


JWT - Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmF
tZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE
2MjM5MDIyfQ
Payload
(Registered/Public/Private Claims)
{
"sub": "1234567890",
"name": "John Doe",
Base64
"iat": 1516239022
}

Registered Public Private

● iss Issuer e.g. mybank.com ● name ● As agreed upon the


● exp Expiry timestamp ● email consumer &
● nbf Not before timestamp ● phone_number provider
● ... ● ...

REST API Design, Development & Management


JWT - Signature
SflKxwRJSMeKKF2QT
Signature
4fwpMeJf36POk6yJV_
adQssw5c
Hashed

Secret

Base64 Base64

Header + “.” + Payload

REST API Design, Development & Management


Summary of Token based Authentication

● Tokens are encoded string used for authentication

● Tokens may be set to expire

● Tokens may be revoked

REST API Design, Development & Management


Tokens are _________ strings

ⓘ Start presenting to display the poll results on this slide.


JWT stands for _______

ⓘ Start presenting to display the poll results on this slide.


Tokens need to be sent for
all resources that are
___________

ⓘ Start presenting to display the poll results on this slide.


Tokens may be sent by the
consumer in __________ depending
on the API implementation.

ⓘ Start presenting to display the poll results on this slide.


Following is NOT part of the
JWT token

ⓘ Start presenting to display the poll results on this slide.


Which part of JWT is not
base64 encoded?

ⓘ Start presenting to display the poll results on this slide.


Issuer can control the
validity of the tokens?

ⓘ Start presenting to display the poll results on this slide.


Claims are part of the :

ⓘ Start presenting to display the poll results on this slide.


Which one is not a type of
Payload/Claim

ⓘ Start presenting to display the poll results on this slide.


name, email, phone_number
are examples of __________
claim

ⓘ Start presenting to display the poll results on this slide.


Thank you!

See you tomorrow at 10AM

REST API Design, Development & Management

You might also like