SlideShare a Scribd company logo

Securing APIs

WSO2
WSO2
1 of 33
Download to read offline
Prabath Siriwardena Senior Architect & Chair, Integration MC Johann Nallathamby Software Engineer, Integration MC
AWS  Signature  -­‐  1   •  Split  the  query  string  based  on  '&'  and  '='  characters  into  a  series  of  key-­‐value  pairs.   •  Sort  the  pairs  based  on  the  keys.   •  Append  the  keys  and  values  together,  in  order,  to  construct  one  big  string  (key1  +   value1  +  key2  +  value2  +  ...  ).   •  Sign  that  string  using  HMAC-­‐SHA1  and  your  secret  access  key.  
AWS  Signature  -­‐  2   •  You  include  additional  components  of  the  request  in  the  string  to  sign   •  You  include  the  query  string  control  parameters  (the  equals  signs  and  ampersands)  in  the   string  to  sign   •  You  sort  the  query  string  parameters  using  byte  ordering   •  You  URL  encode  the  query  string  parameters  and  their  values  before  signing  the  request   •  You  can  use  HMAC-­‐SHA256  when  you  sign  the  request  (we  prefer  HMAC-­‐SHA256,  but  we  still   support  HMAC-­‐SHA1)   •  You  must  set  the  SignatureMethod  request  parameter  to  either  HmacSHA256  or  HmacSHA1   to  indicate  which  signing  method  you're  using   •  You  must  set  the  SignatureVersion  request  parameter  to  2  
http://s3.amazonaws.com/doc/s3-­‐developer-­‐guide/RESTAuthentication.html  
http://blog.programmableweb.com/2010/08/16/twitter-­‐basic-­‐auth-­‐will-­‐truly-­‐disappear-­‐august-­‐30/  
Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
http://www.flickr.com/services/api/misc.userauth.html  
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html  
•  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
BasicAuth   OAuth  Handshake  
BasicAuth   OAuth  Handshake  
Runtime  
Bearer   MAC   Runtime  
Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                ts="1336363200"                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime  
Securing APIs

Recommended

ESB Evaluation Framework
ESB Evaluation FrameworkESB Evaluation Framework
ESB Evaluation FrameworkWSO2
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a ServicePaul Fremantle
 
Monitoring API Performance and Delivering a Scalable API Solution
Monitoring API Performance and Delivering a Scalable API SolutionMonitoring API Performance and Delivering a Scalable API Solution
Monitoring API Performance and Delivering a Scalable API SolutionWSO2
 
Introducing the WSO2 Elastic Load Balancer
Introducing the WSO2 Elastic Load BalancerIntroducing the WSO2 Elastic Load Balancer
Introducing the WSO2 Elastic Load BalancerWSO2
 
Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1WSO2
 
REST APIs
REST APIsREST APIs
REST APIsArthur De Magalhaes
 
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)Cloud Foundry Roadmap (Cloud Foundry Summit 2014)
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)VMware Tanzu
 
[WSO2Con EU 2017] Container-native Architecture
[WSO2Con EU 2017] Container-native Architecture[WSO2Con EU 2017] Container-native Architecture
[WSO2Con EU 2017] Container-native ArchitectureWSO2
 

Recommended

ESB Evaluation Framework
ESB Evaluation FrameworkESB Evaluation Framework
ESB Evaluation FrameworkWSO2
 
Understanding Platform as a Service
Understanding Platform as a ServiceUnderstanding Platform as a Service
Understanding Platform as a ServicePaul Fremantle
 
Monitoring API Performance and Delivering a Scalable API Solution
Monitoring API Performance and Delivering a Scalable API SolutionMonitoring API Performance and Delivering a Scalable API Solution
Monitoring API Performance and Delivering a Scalable API SolutionWSO2
 
Introducing the WSO2 Elastic Load Balancer
Introducing the WSO2 Elastic Load BalancerIntroducing the WSO2 Elastic Load Balancer
Introducing the WSO2 Elastic Load BalancerWSO2
 
Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1Better Enterprise Integration With the WSO2 ESB 4.5.1
Better Enterprise Integration With the WSO2 ESB 4.5.1WSO2
 
REST APIs
REST APIsREST APIs
REST APIsArthur De Magalhaes
 
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)Cloud Foundry Roadmap (Cloud Foundry Summit 2014)
Cloud Foundry Roadmap (Cloud Foundry Summit 2014)VMware Tanzu
 
[WSO2Con EU 2017] Container-native Architecture
[WSO2Con EU 2017] Container-native Architecture[WSO2Con EU 2017] Container-native Architecture
[WSO2Con EU 2017] Container-native ArchitectureWSO2
 
Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0 Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0 Kasun Indrasiri
 
Microservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka EcosystemMicroservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka Ecosystemconfluent
 
Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)J V
 
Azure appservice
Azure appserviceAzure appservice
Azure appserviceRaju Kumar
 
Microservices for Enterprises
Microservices for Enterprises Microservices for Enterprises
Microservices for Enterprises Kasun Indrasiri
 
Camel Based Development Application
Camel Based Development ApplicationCamel Based Development Application
Camel Based Development ApplicationReturn on Intelligence
 
Cloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web ServicesCloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web ServicesRobin Howlett
 
Sitecore JSS at scale
Sitecore JSS at scaleSitecore JSS at scale
Sitecore JSS at scaleJonathan BOBO
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSAmazon Web Services
 
Resilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESBResilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESBWSO2
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
From Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container ServiceFrom Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container ServiceNathan Peck
 
WSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise IntegrationWSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise IntegrationKasun Indrasiri
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...confluent
 
How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon WSO2
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
OAuth2
OAuth2OAuth2
OAuth2SPARK MEDIA
 

More Related Content

What's hot

Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0 Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0 Kasun Indrasiri
 
Microservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka EcosystemMicroservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka Ecosystemconfluent
 
Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)J V
 
Azure appservice
Azure appserviceAzure appservice
Azure appserviceRaju Kumar
 
Microservices for Enterprises
Microservices for Enterprises Microservices for Enterprises
Microservices for Enterprises Kasun Indrasiri
 
Cloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web ServicesCloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web ServicesRobin Howlett
 
Sitecore JSS at scale
Sitecore JSS at scaleSitecore JSS at scale
Sitecore JSS at scaleJonathan BOBO
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSAmazon Web Services
 
Resilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESBResilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESBWSO2
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIPankaj Bajaj
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
From Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container ServiceFrom Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container ServiceNathan Peck
 
WSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise IntegrationWSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise IntegrationKasun Indrasiri
 
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...confluent
 
How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon WSO2
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 

What's hot (20)

Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0 Deep-dive into WSO2 ESB 5.0
Deep-dive into WSO2 ESB 5.0
 
Microservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka EcosystemMicroservices in the Apache Kafka Ecosystem
Microservices in the Apache Kafka Ecosystem
 
Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)Integrating Alfresco @ Scale (via event-driven micro-services)
Integrating Alfresco @ Scale (via event-driven micro-services)
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
 
Microservices for Enterprises
Microservices for Enterprises Microservices for Enterprises
Microservices for Enterprises
 
Camel Based Development Application
Camel Based Development ApplicationCamel Based Development Application
Camel Based Development Application
 
Cloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web ServicesCloud Development with Camel and Amazon Web Services
Cloud Development with Camel and Amazon Web Services
 
Sitecore JSS at scale
Sitecore JSS at scaleSitecore JSS at scale
Sitecore JSS at scale
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
 
Resilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESBResilient Enterprise Messaging with WSO2 ESB
Resilient Enterprise Messaging with WSO2 ESB
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 
Overview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB APIOverview of Rest Service and ASP.NET WEB API
Overview of Rest Service and ASP.NET WEB API
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
From Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container ServiceFrom Monolith to Microservices using Amazon EC2 Container Service
From Monolith to Microservices using Amazon EC2 Container Service
 
WSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise IntegrationWSO2-ESB - The backbone of Enterprise Integration
WSO2-ESB - The backbone of Enterprise Integration
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
Kafka Pluggable Authorization for Enterprise Security (Anna Kepler, Viasat) K...
 
How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon How to build a custom stack with WSO2 carbon
How to build a custom stack with WSO2 carbon
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 

Similar to Securing APIs

Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at WebvisionsAaron Parecki
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server CallsBrandon Hunter
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...Apigee | Google Cloud
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2Aaron Parecki
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 

Similar to Securing APIs (20)

Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
OAuth2
OAuth2OAuth2
OAuth2
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
OAuth 2 at Webvisions
OAuth 2 at WebvisionsOAuth 2 at Webvisions
OAuth 2 at Webvisions
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
HTTP
HTTPHTTP
HTTP
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http...
 
The Current State of OAuth 2
The Current State of OAuth 2The Current State of OAuth 2
The Current State of OAuth 2
 
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
 
OAuth1.0
OAuth1.0OAuth1.0
OAuth1.0
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 

More from WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

More from WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Securing APIs

  • 1. Prabath Siriwardena Senior Architect & Chair, Integration MC Johann Nallathamby Software Engineer, Integration MC
  • 2.
  • 3.
  • 4. AWS  Signature  -­‐  1   •  Split  the  query  string  based  on  '&'  and  '='  characters  into  a  series  of  key-­‐value  pairs.   •  Sort  the  pairs  based  on  the  keys.   •  Append  the  keys  and  values  together,  in  order,  to  construct  one  big  string  (key1  +   value1  +  key2  +  value2  +  ...  ).   •  Sign  that  string  using  HMAC-­‐SHA1  and  your  secret  access  key.  
  • 5. AWS  Signature  -­‐  2   •  You  include  additional  components  of  the  request  in  the  string  to  sign   •  You  include  the  query  string  control  parameters  (the  equals  signs  and  ampersands)  in  the   string  to  sign   •  You  sort  the  query  string  parameters  using  byte  ordering   •  You  URL  encode  the  query  string  parameters  and  their  values  before  signing  the  request   •  You  can  use  HMAC-­‐SHA256  when  you  sign  the  request  (we  prefer  HMAC-­‐SHA256,  but  we  still   support  HMAC-­‐SHA1)   •  You  must  set  the  SignatureMethod  request  parameter  to  either  HmacSHA256  or  HmacSHA1   to  indicate  which  signing  method  you're  using   •  You  must  set  the  SignatureVersion  request  parameter  to  2  
  • 8.
  • 9. Third-­‐party  applications  are  required  to  store  the  resource   owner's  credentials  for  future  use,  typically  a  password  in  clear-­‐ text.  
  • 10. Servers  are  required  to  support  password  authentication,   despite  the  security  weaknesses  created  by  passwords.  
  • 11. Third-­‐party  applications  gain  overly  broad  access  to  the   resource  owner's  protected  resources,  leaving  resource  owners   without  any  ability  to  restrict  duration  or  access  to  a  limited   subset  of  resources.  
  • 12. Resource  owners  cannot  revoke  access  to  an  individual  third-­‐ party  without  revoking  access  to  all  third-­‐parties,  and  must  do   so  by  changing  their  password.  
  • 13. Compromise  of  any  third-­‐party  application  results  in   compromise  of  the  end-­‐user's  password  and  all  of  the  data   protected  by  that  password.  
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 23. •  Complexity  in  validating  and  generating  signatures.   •  No  clear  separation  between  Resource  Server  and   Authorization  Server.   •  Browser  based  re-­‐redirections.  
  • 24.
  • 25. BasicAuth   OAuth  Handshake  
  • 28. Bearer   MAC   Runtime  
  • 29. Bearer   MAC   Bearer   Any  party  in  possession  of  a  bearer  token  (a  "bearer")  can  use   it  to  get  access  to  the  associated  resources  (without   demonstrating  possession  of  a  cryptographic  key).   Runtime  
  • 30. Request  with  Bearer   GET  /resource/1  HTTP/1.1   Host:  example.com   Authorization:  Bearer  “access_token_value”   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐bearer-­‐20   Runtime  
  • 31. Bearer   MAC   MAC   HTTP  MAC  access  authentication  scheme   Runtime  
  • 32. Request  with  MAC   GET  /resource/1  HTTP/1.1   Host:  example.com    Authorization:  MAC  id="h480djs93hd8",                ts="1336363200"                                                                                        nonce="274312:dj83hs9s",                                                                                        mac="kDZvddkndxvhGRXZhvuDjEWhGeE="   http://tools.ietf.org/html/draft-­‐ietf-­‐oauth-­‐v2-­‐http-­‐mac-­‐01   Runtime