OAuth: The API Gatekeeper

The API GatekeeperDick Hardt

Monday, November 4, 13

Agenda

•Access Control Overview

Agenda

•Access Control Overview•OAuth History

Agenda

•Access Control Overview•OAuth History•OAuth Flows

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps•What can go wrong?

Agenda

•Access Control Overview•OAuth History•OAuth Flows•Implementation Steps•What can go wrong?•Q & A

Authorization Code

•key into database

Authorization Code

•key into database–user, scope, app id, expiry (5 min)

Authorization Code

•token (self contained)

Authorization Code

•token (self contained)–user, scope, app id, expiry (5 min)

Authorization Code

•token (self contained)–user, scope, app id, expiry (5 min)–JWT

Access Token Lifecycle

Access Token Lifecycle•key into database

Access Token Lifecycle•key into database–user, scope, app id, expiry, status

•token (self contained)

•token (self contained)–user, scope, app id, expiry (60 minutes)

•token (self contained)–user, scope, app id, expiry (60 minutes)–JWT

•Refresh token

•Refresh token–user, scope, app id, expiry / status

•Refresh token–user, scope, app id, expiry / status–JWT

API Authorization Middlewareimplementation dependent

X-RateLimit-Limit: 500X-RateLimit-Remaining: 432

Developer Documentation / Sandbox

What can go wrong?

What can go wrong?•Compromise of client secret

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated

What can go wrong?•Compromise of client secret•Compromise of access tokens (server)–Developer rests client secret–All access tokens are invalidated–Refresh tokens still work, but require new secret

•Compromise of access token (client)

•Compromise of access token (client)–User revokes authorization

•Resolution is self service8

OAuth: The API Gatekeeper

Technology

A How-to Guide to OAuth & API Security

REST API Security: OAuth 2.0, JWTs, and More!

Oauth for credentials security in REST API access

API Security & Oauth Patterns RSA Europe @flascelles

Abusing Twitter API & OAuth Implementation · Abusing Twitter API & OAuth Implementation Nicolas Seriot April 10th, 2013 Hack In The Box Amsterdam, NL. ... • iOS / Cocoa dev.

Just-In Time Sociology @EPFL€¦ · Twitter API API = Application Programming Interface dev.twitter.com good coding skills needed REST API Streaming API OAuth JSON 9/29. Twitter

A How-to Guide to OAuth & API Security - Broadcom Inc

5 OAuth Essentials for API Access Control

Google App Engine Google APIs OAuth Facebook Graph API

Import google contacts with php or javascript using google contacts api and oauth 2.0

Decentralised authorisation: OAuth2€¦ · OAuth history • OAuth 1.0 released in 2007 • Twitter developers realised that OpenID was not going to support delegated API access

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - SDC2013

API Security: Does My Business Need OAuth?

AdWords API and OAuth 2.0

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control - WebNetConf

OAuth 2.0 - Because API

Mohanraj - Securing Your Web Api With OAuth

Abusing Twitter API & OAuth Implementation - HITBconference.hitb.org/hitbsecconf2013ams/materials/D1T2 - Nicolas... · Abusing Twitter API & OAuth Implementation Nicolas Seriot April

Securing your APIs with OAuth 2.0 in InterSystems API

Authorization Architecture Patterns: How to Avoid Pitfalls in … · 2019-10-28 · implement OAuth 2.0, OpenID Connect, Financial-grade API and CIBA. ... • OAuth / OpenID Connect