Enterprise Access Control Patterns For REST and Web APIs



Similar documents
IBM WebSphere Application Server

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Building Secure Applications. James Tedrick

Mashery OAuth 2.0 Implementation Guide

Copyright Pivotal Software Inc, of 10

Axway API Gateway. Version 7.4.1

Enabling SSO for native applications

APIs The Next Hacker Target Or a Business and Security Opportunity?

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

An Oracle White Paper Dec Oracle Access Management OAuth Service

Salesforce Opportunities Portlet Documentation v2

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Configuration Guide - OneDesk to SalesForce Connector

OAuth: Where are we going?

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Globus Auth. Steve Tuecke. The University of Chicago

Onegini Token server / Web API Platform

Mastering health IT complexity with Fine-Grained REST APIs

Fairsail REST API: Guide for Developers

SharePoint 2013 Business Connectivity Services Hybrid Overview

OAuth Guide Release 6.0

API-Security Gateway Dirk Krafzig

A Standards-based Mobile Application IdM Architecture

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

IBM API Management Overview IBM Corporation

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

ACR Connect Authentication Service Developers Guide

Creating a Strong Security Infrastructure for Exposing JBoss Services

Copyright: WhosOnLocation Limited

Towards an Open Identity Infrastructure with OpenSSO. RMLL Nantes July Fulup Ar Foll Master Architect

Salesforce Integration User Guide Version 1.1

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Agenda. How to configure

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

The Role of Identity Enabled Web Services in Cloud Computing

Software Potential Solution Overview

EHR OAuth 2.0 Security

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

SAML and OAUTH comparison

Using SAML for Single Sign-On in the SOA Software Platform

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Security Best Practices for Microsoft Azure Applications

Single Sign On for UNICORE command line clients

Single Sign On. SSO & ID Management for Web and Mobile Applications

Administering Jive Mobile Apps

A How To guide for integrating your application to the CRM Hub

JVA-122. Secure Java Web Development

Microsoft Azure Multi-Factor authentication. (Concept Overview Part 1)

Implementing 2-Legged OAuth in Javascript (and CloudTest)

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

Introduction to SAML

RCS Liferay Google Analytics Portlet Installation Guide

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Web Services Security with SOAP Security Proxies

OPENIAM ACCESS MANAGER. Web Access Management made Easy

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

OAuth 2.0. Weina Ma

Meeting Rooms User Manual

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

AT&T Synaptic Storage as a Service SM Getting Started Guide

Egnyte Single Sign-On (SSO) Installation for OneLogin

Hybrid for SharePoint Server Search Reference Architecture

USING FEDERATED AUTHENTICATION WITH M-FILES

HP Software as a Service

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

An Approach to Achieve Delegation of Sensitive RESTful Resources on Storage Cloud

On-premise and Online connection with Provider Hosted APP (Part 1)

Lecture Notes for Advanced Web Security 2015

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Login with Amazon. Developer Guide for Websites

SAP Mobile - Webinar Series SAP Mobile Platform 3.0 Security Concepts and Features

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Digital Enterprise. White Paper. Enhancing User Experience with Secure Single Sign-On for Enterprise Mobile Apps

Security Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -

Securing JAX-RS RESTful services. Miroslav Fuksa (software developer) Michal Gajdoš (software developer)

Office365Mon Developer API

OIOSAML Rich Client to Browser Scenario Version 1.0

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Federated Portals. Subbu Allamaraju Staff Engineer BEA Systems Inc

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

Managing SOA Security and Operations with SecureSpan

Federated Identity for Cloud Computing and Cross-organization Collaboration

Applying Cryptography as a Service to Mobile Applications

DreamFactory on Microsoft SQL Azure

#07 Web Security CLIENT/SERVER COMPUTING AND WEB TECHNOLOGIES

Single Sign-On Implementation Guide

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Enabling REST Services with SAP PI. Michael Le Peter Ha

SPARROW Gateway. Developer Data Vault Payment Type API. Version 2.7 (6293)

RETS Transport Authentication April Matt Cohen Clareity Consulting Clareity.com

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

CLOUD CRUISER FOR WINDOWS AZURE PACK

UMA in Health Care: Providing Patient Control or Creating Chaos?

Securing Web Services From Encryption to a Web Service Security Infrastructure

Transcription:

Enterprise Access Control Patterns For REST and Web APIs Francois Lascelles Layer 7 Technologies Session ID: STAR-402 Session Classification: intermediate

Today s enterprise API drivers IAAS/PAAS distributed enterprise SOA Integration APIs! Cloud APIs! SAAS partner enterprise boundary B2B APIs! Access control? Sensitive data, apps Mission critical ID authority Legacy B2C APIs! developer mobile

REST access control standards gap WS-* web services have rich security standards and authentication/authorization mechanisms Web API, RESTful web services tend to use proprietary tokens, point-to-point solutions What are the common patterns in use? Which standards are emerging? How to use specialized infrastructure to implement access control? How to accommodate requesting party technical capabilities?

Pattern 1: API Keys in URI parameters https://host/api/resource?keyid=foo&keysecret=bar Simplest thing, common practice Shared secret in a URL parameter based authentication, no signature involved Equivalent to https://host/api/resource?username=franco&pass word=mysecret Why not use HTTP Basic instead?

Pattern 2: HMAC PUT /api/resource Authorization: AWS keyid:fr0t5azm6qt3s40pbpmfrtljwmuzura8= Prove possession of share secret using HMAC sig (shared secret not actually sent) Payload covered by signature -> message integrity Timestamp covered by signature -> less susceptible to replay Used by AWS, Azure, core to OAuth 1.0 Requires agreement for normalized request string 5

Pattern 3: OAuth Specifies a handshake to grant an access token to an application (REST client) Access token is then used to consume REST service Application Retrieve resource with OAuth access token (REST exchange) Service Do something with my resource Yes, I authorize it Resource owner

OAuth 2.0 4 core grant types (handshakes) to address different use cases Authorization code, implicit, password, client credentials SAML extension grant type (draft-ietf-oauth-saml2- bearer-03) Different token types Bearer (easy, like cookies) MAC (integrity, more secure) OAuth 2.0 is rich, fills the standards gap

Authorization code grant type Resource owner redirected between OAuth authorization server and client application Both resource owner and client authenticated as part of handshake Supports refresh 2. Get access token 1. Get authz code 8

Implicit grant type Also 3-legged but simpler Client is not authenticated redirection URI must be registered to avoid fishing No refresh 1. Get access token 9

Resource owner password credentials grant type Resource owner provides credentials to client Client uses it to get access token Both client and res owner identities authenticated Can be refreshed 1. Provide credentials 2. Get access token 10

Client credentials grant type Two-legged handshake Client application authenticated only No refresh tokens 1. Get access token 11

2 vs. 3 Legged Spectrum Two legged Three legged 12

Step-by-step enterprise API access control (from an OAuth perspective) 13

Starting Point I need more OAuth enterprise/provider admin REST API FAIL! OAuth Client (application)

OAuth Clients Provisioning, Management Provide a portal for developers to register, generate shared secrets Enable approval flow (administrative) Store API keys, redirection URIs List existing clients, record usage statistics app developer provision register OAuth Client Management API dev portal approve

Runtime Policy Modeling, Integration Declare API endpoints in the resource server Integrate identity providers for runtime authentication Granular access control rules Which API, which identities, which grant types, Runtime Policy Modeling configure API endpoints Resource Server PEP id providers, API keys

OAuth Handshake Enable handshake Lookup policy, authenticate identities, enable flow Create OAuth Session Token Management persist get token redirect Token Endpoint Authorization Endpoint authorize OAuth Authorization Server

Runtime API Call OAuth resource server enables API call Lookup and verify incoming OAuth access token Authorize based on OAuth session attributes Route to API endpoint, return resource to client app Record consumption statistics Token Management consume Resource Server

Token Refresh OAuth authorization server enables refresh Authenticate client Lookup and validate refresh token Create new access token Update OAuth session Token Management refresh Token Endpoint

Token Revocation Minimize impact of compromised tokens Enable revocation for subscribers and API providers Management GUI, links Token Management revoke Revocation interface check Resource Server FAIL! compromise

Comprehensive API Access Control Apply OAuth-enabling infrastructure: Token management (lifecycle, revocation) Developer portal (client provisioning, client management) OAuth resource server (API proxy, PEP) OAuth authorization server (authorization endpoint, token endpoint) Runtime policy modeling Reporting, monitoring interface

Thank you For more information: info@layer7.com 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information