Securing APIs and Microservices with OAuth and OpenID Connect

Similar documents
OAuth and OpenID Connect (IN PLAIN ENGLISH)

Tutorial: Building the Services Ecosystem

API Gateway. Version 7.5.1

Easily Secure your Microservices with Keycloak. Sébastien Blanc Red

openid connect all the things

Advanced API Security

Technical Overview. Version March 2018 Author: Vittorio Bertola

A TECHNICAL DESIGN FOR A BLUE BADGE DIGITAL SERVICE

Stateless Microservice Security via JWT, TomEE and MicroProfile

fredag 7 september 12 OpenID Connect

OPENID CONNECT 101 WHITE PAPER

Warm Up to Identity Protocol Soup

Partner Center: Secure application model

FAS Authorization Server - OpenID Connect Onboarding

Check to enable generation of refresh tokens when refreshing access tokens

REST API Operations. 8.0 Release. 12/1/2015 Version 8.0.0

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Nordea e-identification Service description

Connect. explained. Vladimir Dzhuvinov. :

Using OAuth 2.0 to Access ionbiz APIs

Building the Modern Research Data Portal. Developer Tutorial

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

CS144: Sessions. Cookie : CS144: Web Applications

OpenID Connect Opens the Door to SAS Viya APIs

ForgeRock Access Management Customization and APIs

How to use or not use the AWS API Gateway for Microservices

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Protect Your API with OAuth 2. Rob Allen

[GSoC Proposal] Securing Airavata API

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

5 OAuth Essentials for API Access Control

Web Based Single Sign-On and Access Control

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

Allowing the user to define the attribute release 21 May 2014

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

5 OAuth EssEntiAls for APi AccEss control layer7.com

Your Auth is open! Oversharing with OpenAuth & SAML

API Security Management with Sentinet SENTINET

OAuth 2.0 Guide. ForgeRock Access Management 5.1. ForgeRock AS 201 Mission St, Suite 2900 San Francisco, CA 94105, USA (US)

Integrating with ClearPass HTTP APIs

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Connect-2-Everything SAML SSO (client documentation)

RESTful API Design APIs your consumers will love

Single Sign-On for PCF. User's Guide

OpenID Connect Update

Cloud Access Manager Configuration Guide

Salesforce1 Mobile Security White Paper. Revised: April 2014

Introduction to SciTokens

Mobile Procurement REST API (MOBPROC): Access Tokens

PSD2 AND OPEN BANKING SOLUTION GUIDE

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

FAS Authorization Server - OpenID Connect Onboarding

SECURING ASP.NET CORE APPLICATIONS

Authentication with OAuth 2.0

NetIQ Access Manager 4.4. REST API Guide

API Security Management SENTINET

Authentication in the Cloud. Stefan Seelmann

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

Combination of the PEAP Protocol with EAP-OpenID Connect

Authentication. Katarina

FAS Authorization Server - OpenID Connect Onboarding

OAuth 2.0 Guide. ForgeRock Access Management 5.5. ForgeRock AS 201 Mission St, Suite 2900 San Francisco, CA 94105, USA (US)

Enhanced OpenID Protocol in Identity Management

NetIQ Access Manager 4.3. REST API Guide

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

CA SiteMinder Federation

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Access Manager 4.4 Release Notes

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Microsoft Graph API Deep Dive

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

User Directories. Overview, Pros and Cons

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

INDIGO-Datacloud Identity and Access Management Service

GPII Security. Washington DC, November 2015

Interaction between the Client and the Authorization Server (Symmetric Keys)

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

CS November 2018

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Java Relying Party API v1.0 Programmer s Guide

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

Cloud Access Manager Overview

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

TIBCO Cloud Integration Security Overview

PAS for OpenEdge Support for JWT and OAuth Samples -

Deep Dive on Azure Active Directory for Developers. Jelle Druyts Premier Field Engineer Microsoft Services

External HTTPS Trigger AXIS Camera Station 5.06 and above

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

How to Configure Authentication and Access Control (AAA)

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Authentication and Authorization of End User in Microservice Architecture

Xerox Connect App for Blackboard

IBM Security Access Manager Version 9.0 October Product overview IBM

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Security Guide Oracle Banking Virtual Account Management Release July 2018

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Transcription:

Securing APIs and Microservices with OAuth and OpenID Connect By Travis Spencer, CEO @travisspencer, @curityio

Organizers and founders ü All API Conferences ü API Community ü Active blogosphere 2018 Platform Summit October 22 24, 2018 Stockholm, Sweden Austin API Summit TBD 2019 Austin, Texas

OAuth Basics Actors, code flow, etc.

OAuth OAuth 2 is a protocol of protocols Used as the base of other specifications OpenID Connect, UMA, HEART, etc. Addresses some important requirements Delegated access No password sharing Revocation of access

OAuth Actors 1. Resource Owner (RO) 2. Client 3. Authorization Server (AS) 4. Resource Server (RS) (i.e., API) Get a token Use a token

Request, Authenticate & Consent Request Access Login Consent

Code Flow User is redirected to OAuth server APIs & microservices

Code Flow User logs in and delegates access APIs & microservices

Code Flow Short-lived access code is issued to client APIs & microservices

Code Flow Code is exchanged for an access token APIs & microservices

Code Flow Access token can be used to call APIs APIs & microservices

Scopes Grouping of claims Scope specifies extent of tokens usefulness Claims in scope can be used as permissions No standardized scopes (in OAuth); various in OpenID Connect

Kinds of Tokens Access Tokens Refresh Tokens Like a session Used to secure API calls Like a Password Used to get new access tokens

Profiles of Tokens Bearer Holder of Key $ Bearer tokens are like cash HoK tokens are like credit cards

Types of Tokens WS-Security & SAML Custom Home-grown Oracle Access Manager SiteMinder CBOR Web Tokens (CWT) JWT

JWT Type Tokens Pronounced like the English word jot Lightweight tokens passed in HTTP headers & query strings Encoded as JSON Compact Encrypted, signed, or neither Not the only kind of token allowed by OAuth JWT

Passing Tokens By Value By Reference User attributes are in the token User attributes are referenced by an identifier

Improper Usage of OAuth Not for authentication Not for federation Not really for authorization

Proper Usage or OAuth For delegation

OpenID Connect Overview Code flow with ID token, user info, etc.

OpenID Connect Based on OAuth 2 Made for mobile Client also receive tokens User info endpoint provided for client to get user data Additional flows hybrid Claims, request obj, etc.

OpenID Connect Examples OAuth AS / OpenID Provider Access token & ID token User info RP / Client Get Send user code info to using get access token Request login, providing openid scope & user info Access code scopes Check audience restriction of ID token Browser

ID Token is for the Client Access token is for API ID token is for client ID token provides client with info about Intended client recipient Username Credential used to login Issuer of token Expiration time

User Info Endpoint Token issuance and user discovery endpoint Authenticate using access token issued by OpenID Provider Output depends on requested and authorized scopes sub claim must match sub claim in ID token

Demo

Phantom Tokens Privacy-preserving token usage pattern for microservices

Basic Approach User is redirected to OAuth server APIs & microservices

Basic Approach User logs in and delegates access APIs & microservices

Basic Approach Access token is issued to client APIs & microservices

Basic Approach Access token can be used to call APIs APIs & microservices

Phantom Token Approach Access token is a by-ref token used externally Reverse Proxy APIs & microservices

Phantom Token Approach JWT External, by-ref token is converted to a by-val internal phantom token Reverse Proxy APIs & microservices

Phantom Token Approach Internal phantom token is used to call actual APIs JWT Reverse Proxy APIs & microservices

Benefits of the Phantom Token Approach Smaller regulated space Not possible for client to access any PII JWE puts decryption inputs into the attacker s hands JWTs (or other by-val token) only require transport compromise Front-end clients can t depend on access token s contents Standard compliant Vendor neutral

Drawbacks Alternatives Network call to dereference token Cache based on TTL from OAuth server Preemptively populate cache Use a fast reverse proxy Doesn t work in multi-tenant scenarios By-val JWT that only contains: iss azp exp jti aud a la HEART Must still be introspected

Summary Actors Resource owner and server, client & authorization server Flows Code flow (with and without ID token), etc. Token Kinds Ways of passing Profiles Appropriate uses Only delegation Use phantom tokens to simplify & secure integration with APIs Copyright Curity AB 2017 36

More Info Come over to our booth and win a Nintendo Switch Tutorials on curity.support Code examples on github.com/curityio Workshops on Thursday Download Curity from curity.io

Visit curity.io and stop by our booth

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback