session presentation here

Web API Security Pa0erns & An4-­‐Pa0erns Dominick Baier h0p://leastprivilege.com @leastprivilege think mobile!
Dominick Baier •  Security consultant at thinktecture •  Focus on –  security in distributed applica9ons –  iden9ty management –  access control –  Windows/.NET security –  mobile app security • 
• 
• 
• 
MicrosoF MVP for Developer Security ASP.NET Web API Advisor dominick.baier@thinktecture.com h0p://leastprivilege.com @leastprivilege think mobile!
2 PaCerns & An9-­‐PaCerns • 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
SSL Cookie-­‐based Authen4ca4on Shared Secret Authen4ca4on Token-­‐based Authen4ca4on Separa4ng Token Issuer and Business Logic Oauth 2.0 & OpenID Connect Separa4ng User Creden4als from Client Applica4ons Federa4on (Social & Enterprise Iden4ty Providers) Self-­‐contained vs Reference Tokens Claims Token Life4me, Sessions & Refresh Logout Authoriza4on 401 vs 403 @leastprivilege 3 SSL @leastprivilege 4 Cookie-­‐based Authen9ca9on •  Web APIs inherit security se[ngs of web host –  e.g. cookies, Windows authen9ca9on, client certs... Application
Login
Pages
Web APIs
$.ajax @leastprivilege 5 CSRF – The Problem Login, get authen9ca9on cookie h0p://app.com Tab/Process send authen9ca9on cookie h0p://app.com/delete/5 Tab/Process Browser @leastprivilege 6 Example: Web API v1 An9-­‐CSRF •  Part of the SPA template in MVC 4 (Update 2) Server [ValidateHCpAn9ForgeryToken] render page & an9-­‐forgery cookie post-­‐back: cookie + hidden field web api call: cookie + header Page <form> <input type="hidden" value="anti-­‐forgery token" /> </form> <script>…</script> @leastprivilege 7 Shared Secret Authen9ca9on •  HTTP Basic Authen4ca4on •  Shared signature approaches (e.g. hawk) GET /service/resource Authoriza4on: Basic base64(username:password) @leastprivilege 8 Problems •  The client must store the secret or obtain it from the user (on every request) –  storage must be done in clear text (or reversible encryp9on) •  Server has to validate the secret on every request –  high computa9onal cost due to brute force protec9on •  The probability of accidental exposure of the secret is increased @leastprivilege 9 Token-­‐based Authen9ca9on •  "Cookies" for APIs 1 2 POST /service/token Authoriza4on: Basic base64(username:password) <token> 3 GET /service/resource Authoriza4on: <token> @leastprivilege 10 Separa9ng Token Issuer from Business Logic •  Separa4on of concerns –  re-­‐use of token issuer –  centralize security logic •  OAuth 2.0 (RFC 6749) –  framework for reques9ng and using access tokens for •  na9ve clients, web clients, browser-­‐based clients •  OpenID Connect –  authen9ca9on extensions for OAuth 2.0 •  Addi4onal concepts –  Authoriza9on Server –  Access Tokens @leastprivilege 11 OAuth2 approach client_id=client1, scope=api1 api2 Authoriza4on Server access token APIs Bob access token Scopes: api1, api2 api3… @leastprivilege 12 JSON Web Token (JWT) Header { "typ": "JWT", "alg": "HS256" } Claims { "iss": "http://myIssuer", "exp": "1340819380", "aud": "http://myResource", "sub": "bob", "client_id": "client1", "scope": ["api1", "api2"] } eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt Header @leastprivilege Claims Signature 13 Reference Tokens Authoriza4on Server a717d415-76b9-4bad
validate token receive claims Bob a717d415-76b9-4bad
@leastprivilege 14 Flows •  Pa0erns for orchestra4ng communica4on between client and authoriza4on server –  server-­‐rendered web applica9ons –  user-­‐agent based web applica9ons –  na9ve applica9ons –  machine-­‐to-­‐machine communica9on –  federa9on •  Ability to treat the client as par4ally trusted –  as well as client authen9ca9on @leastprivilege 15 Resource Owner Password Flow Resource Server Authoriza9on Server POST /token Authorization: Basic (client_id:secret) grant_type=password& scope=read& username=owner& password=password& Resource Owner @leastprivilege Client 16 Token Response Resource Server Authoriza9on Server { "access_token" : "abc", "expires_in" : "3600", "token_type" : "Bearer", "refresh_token" : "xyz" } Resource Owner @leastprivilege Client 17 Step 2: Use token Resource Server GET /resource Authorization: Bearer access_token Resource Owner @leastprivilege Client 18 Separa9ng user creden9als from the client… •  Client does not need to deal with user creden4als •  Single Sign-­‐on •  Enabled for external authen4ca4on •  Implicit Flow –  Web / mobile / user-­‐agent based clients •  Authoriza4on Code Flow –  addi9onal features for so called "confiden9al clients" @leastprivilege 19 Implicit Flow (Na9ve / Local Clients) Resource Owner @leastprivilege Client 20 Step 1: Authoriza9on/Authen9ca9on Request Resource Server Authoriza9on Server GET /authorize? client_id=nativeapp& scope=read& redirect_uri=http://localhost/cb& response_type=token& state=123 Resource Owner @leastprivilege Client 21 Authen9ca9on @leastprivilege 22 Consent @leastprivilege 23 TwiCer Consent @leastprivilege 24 Step 2: Token Response Resource Server Authoriza9on Server GET /cb# access_token=abc& expires_in=3600& state=123 Resource Owner @leastprivilege Client 25 Federa9on w/ Social & Enterprise @leastprivilege * 26 Token Life9me, Sessions & Refresh Cookie Life4me? Sliding? Logout? Bob Access Token Life4me? Sliding? @leastprivilege 27 Refresh Token Management (Flickr) @leastprivilege 28 Refresh Token Management (Dropbox) @leastprivilege 29 Logout (aka Revoca9on) •  Tokens are valid un4l expira4on –  especially true for self-­‐contained tokens –  more op9ons when using reference tokens /revoke?token=a19..18a Bob @leastprivilege 30 401 vs 403 RFC 7235: HTTP 1.1 Authen4ca4on The 401 (Unauthorized) status code indicates that the request has
not been applied because it lacks valid authentication
credentials for the target resource. The server generating a
401 response MUST send a WWW-Authenticate header field
(Section 4.1) containing at least one challenge applicable to
the target resource.
A server that receives valid credentials that are not adequate to
gain access ought to respond with the 403 (Forbidden) status
code
@leastprivilege 31 Authoriza9on Client -­‐ iden4ty -­‐ client type -­‐ scopes @leastprivilege User -­‐ iden4ty -­‐ claims from token -­‐ DB / profile data 32 thank you! @leastprivilege 33