Web API Security Pa0erns & An4-‐Pa0erns Dominick Baier h0p://leastprivilege.com @leastprivilege think mobile! Dominick Baier • Security consultant at thinktecture • Focus on – security in distributed applica9ons – iden9ty management – access control – Windows/.NET security – mobile app security • • • • MicrosoF MVP for Developer Security ASP.NET Web API Advisor dominick.baier@thinktecture.com h0p://leastprivilege.com @leastprivilege think mobile! 2 PaCerns & An9-‐PaCerns • • • • • • • • • • • • • • SSL Cookie-‐based Authen4ca4on Shared Secret Authen4ca4on Token-‐based Authen4ca4on Separa4ng Token Issuer and Business Logic Oauth 2.0 & OpenID Connect Separa4ng User Creden4als from Client Applica4ons Federa4on (Social & Enterprise Iden4ty Providers) Self-‐contained vs Reference Tokens Claims Token Life4me, Sessions & Refresh Logout Authoriza4on 401 vs 403 @leastprivilege 3 SSL @leastprivilege 4 Cookie-‐based Authen9ca9on • Web APIs inherit security se[ngs of web host – e.g. cookies, Windows authen9ca9on, client certs... Application Login Pages Web APIs $.ajax @leastprivilege 5 CSRF – The Problem Login, get authen9ca9on cookie h0p://app.com Tab/Process send authen9ca9on cookie h0p://app.com/delete/5 Tab/Process Browser @leastprivilege 6 Example: Web API v1 An9-‐CSRF • Part of the SPA template in MVC 4 (Update 2) Server [ValidateHCpAn9ForgeryToken] render page & an9-‐forgery cookie post-‐back: cookie + hidden field web api call: cookie + header Page <form> <input type="hidden" value="anti-‐forgery token" /> </form> <script>…</script> @leastprivilege 7 Shared Secret Authen9ca9on • HTTP Basic Authen4ca4on • Shared signature approaches (e.g. hawk) GET /service/resource Authoriza4on: Basic base64(username:password) @leastprivilege 8 Problems • The client must store the secret or obtain it from the user (on every request) – storage must be done in clear text (or reversible encryp9on) • Server has to validate the secret on every request – high computa9onal cost due to brute force protec9on • The probability of accidental exposure of the secret is increased @leastprivilege 9 Token-‐based Authen9ca9on • "Cookies" for APIs 1 2 POST /service/token Authoriza4on: Basic base64(username:password) <token> 3 GET /service/resource Authoriza4on: <token> @leastprivilege 10 Separa9ng Token Issuer from Business Logic • Separa4on of concerns – re-‐use of token issuer – centralize security logic • OAuth 2.0 (RFC 6749) – framework for reques9ng and using access tokens for • na9ve clients, web clients, browser-‐based clients • OpenID Connect – authen9ca9on extensions for OAuth 2.0 • Addi4onal concepts – Authoriza9on Server – Access Tokens @leastprivilege 11 OAuth2 approach client_id=client1, scope=api1 api2 Authoriza4on Server access token APIs Bob access token Scopes: api1, api2 api3… @leastprivilege 12 JSON Web Token (JWT) Header { "typ": "JWT", "alg": "HS256" } Claims { "iss": "http://myIssuer", "exp": "1340819380", "aud": "http://myResource", "sub": "bob", "client_id": "client1", "scope": ["api1", "api2"] } eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header @leastprivilege Claims Signature 13 Reference Tokens Authoriza4on Server a717d415-76b9-4bad validate token receive claims Bob a717d415-76b9-4bad @leastprivilege 14 Flows • Pa0erns for orchestra4ng communica4on between client and authoriza4on server – server-‐rendered web applica9ons – user-‐agent based web applica9ons – na9ve applica9ons – machine-‐to-‐machine communica9on – federa9on • Ability to treat the client as par4ally trusted – as well as client authen9ca9on @leastprivilege 15 Resource Owner Password Flow Resource Server Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=read& username=owner& password=password& Resource Owner @leastprivilege Client 16 Token Response Resource Server Authoriza9on Server { "access_token" : "abc", "expires_in" : "3600", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner @leastprivilege Client 17 Step 2: Use token Resource Server GET /resource Authorization: Bearer access_token Resource Owner @leastprivilege Client 18 Separa9ng user creden9als from the client… • Client does not need to deal with user creden4als • Single Sign-‐on • Enabled for external authen4ca4on • Implicit Flow – Web / mobile / user-‐agent based clients • Authoriza4on Code Flow – addi9onal features for so called "confiden9al clients" @leastprivilege 19 Implicit Flow (Na9ve / Local Clients) Resource Owner @leastprivilege Client 20 Step 1: Authoriza9on/Authen9ca9on Request Resource Server Authoriza9on Server GET /authorize? client_id=nativeapp& scope=read& redirect_uri=http://localhost/cb& response_type=token& state=123 Resource Owner @leastprivilege Client 21 Authen9ca9on @leastprivilege 22 Consent @leastprivilege 23 TwiCer Consent @leastprivilege 24 Step 2: Token Response Resource Server Authoriza9on Server GET /cb# access_token=abc& expires_in=3600& state=123 Resource Owner @leastprivilege Client 25 Federa9on w/ Social & Enterprise @leastprivilege * 26 Token Life9me, Sessions & Refresh Cookie Life4me? Sliding? Logout? Bob Access Token Life4me? Sliding? @leastprivilege 27 Refresh Token Management (Flickr) @leastprivilege 28 Refresh Token Management (Dropbox) @leastprivilege 29 Logout (aka Revoca9on) • Tokens are valid un4l expira4on – especially true for self-‐contained tokens – more op9ons when using reference tokens /revoke?token=a19..18a Bob @leastprivilege 30 401 vs 403 RFC 7235: HTTP 1.1 Authen4ca4on The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource. A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code @leastprivilege 31 Authoriza9on Client -‐ iden4ty -‐ client type -‐ scopes @leastprivilege User -‐ iden4ty -‐ claims from token -‐ DB / profile data 32 thank you! @leastprivilege 33
© Copyright 2024