While TLS and OAuth are widely used today, they are not always well-used and in many cases they are not enough. In this presentation, we introduce all aspects of security to consider as well as the OpenAPI security extensions which can be leveraged to better express the contract between the consumer and the provider.
4. API SECURITY ASPECTS TO CONSIDER
Authentication
(Validation and
OIDC Flows)
Integrity
Data has not
been tampered
with
Audit
(Forensics)
Confidentiality
Data can’t be seen
in flight
Availability
(Rate Limiting)
Authorization
(Access
Control and
OAuth flows)
Non Repudiation
(Legal Compliance)
Input/Output
Validation
(Attacks Protection)
6. TLS covers Confidentiality and Integrity at transport level.
Configuration matters!
✓ Protocol accepted (TLS 1.2, 1.3 are recommended)
✓ Strong cipher suites
Can use Mutual SSL for authentication is some scenarios
Review/Enforce across the whole transaction flow
✓ Inbound/Outbound
Remember: channel is encrypted… but data goes in clear!
6
IT STARTS AT TRANSPORT LEVEL…
8. DATA VALIDATION
Payload validation (request, responses, errors!)
Block sensitive data in responses (N26 attack lessons…)
Make sure you don’t return too much information in case of
errors. Too much info for attacker!
✓ Avoid Response.post ( exception.printStackTrace()) !
8
9. TOKEN VALIDATION
Which token format is accepted ?
Where (query param ? header ?)
Is it of the right format ?
Has it expired ?
Is the signature valid?
Is the signing/encrypting algorithm the right one ( RS256, HS 256)
Was 2-factor auth used if required ? (Level of Assurance - LoA 3 or greater)
Claims check
✓ What’s the audience value ? See: https://thehackernews.com/2018/04/auth0-authentication-bypass.html
✓ What’s the issuer value ?
✓ Custom checks
Check jwt.io to ensure the libraries you use do the proper checks!
9
11. CRYPTO VALIDATION
Can I decrypt ?
Can I verify the signature ?
Decrypt before payload validation !
11
12. INTEGRITY
What I received is what was sent and I know who sent it.
Digital signatures over content.
You probably already use this with OpenID Connect (id token must be
signed and optionally encrypted)
Transport agnostic!
Other applications
✓ Non-Repudiation
12
13. CONFIDENTIALITY
I don’t want anybody to see the messages exchanged.
Data can only be read by the right person/system
Transport agnostic!
Multiple recipients
✓ Part of message goes to target A, another to target B
13
14. AAA (AUTHENTICATION/AUTHORIZATION /AUDIT)
Choose OAuth Grant Types wisely
✓ Know the deployment
✓ Know who will invoke the APIs.
Use HTTPs across all actors (Resource Server, Authorization Server, Client)
Prevent Token theft ! Look at
✓ PKCE for mobile apps ( prevents authorization_code from being stolen)
✓ Proof-of-possession (https://tools.ietf.org/html/rfc7800)
✓ Token Binding ( new RFC, still in Draft)
Use proven libs and products !
Audit everything (logs, SIEM, audit trail)
Learn Learn and Learn …
✓ https://auth0.com/docs/api-auth/grant/authorization-code-pkce
✓ https://alexbilbie.com/guide-to-oauth-2-grants/
✓ https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864 14
15. OPEN API SECURITY EXTENSIONS
Specify the security contract
Authentication
✓ Basic Auth
✓ API Key
✓ OAuth (flows, URLs to Authorization/Token Server)
Future
✓ Mutual TLS (3.1)
✓ Cryptography support at message level
✓ Additional details for OAuth JWT contract
• Algorithms
• Required Claims
• Signature Type 15