Scribd
Upload
105 views38 pages

Red Hat 3scale API Management - Security Overview

Uploaded by

alan.liuxiang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
105 views38 pages

Red Hat 3scale API Management - Security Overview

Uploaded by

alan.liuxiang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38

API SECURITY

API SECURITY
Evolution of API Security

Naked API Simple API Keys Federated Access Control

The Authentication Granddaddy - Basic Auth

2 INSERT DESIGNATOR, IF NEEDED


API SECURITY
Top Schemes

Most API Management platforms supports the following security schemes:

● API Key single token string


● APP ID/APP Key (Basic Auth) two token strings i.e. username, password
● OAuth authentication framework to delegate access
● OpenID Connect (OIDC) simple identity layer on top of OAuth framework

3
OAUTH 2.0
From 20,000 FT

OAuth (Open Authorization) is an User


open standard for access delegation:
Authorize Owns

● One service can request access


to resources on another service
on the behalf of the user.

Published October 2012 Client Resources


Accesses

4
OAUTH 2.0
Terminology

● Resource Owner: generally yourself.


● Resource Server: server hosting protected data (for example Google
hosting your profile).
● Client: application requesting access to a resource server (i.e. a mobile
application).
● Authorization Server: server issuing token to the client. This token will be
used for the client to request the resource server.

5
OAUTH 2.0
Grant / Flow Types

Authorization Code Flow


The most secure and used where a user logs into Identity server and grants
access to Application to retrieve their data
Client Credentials Flow
Only Application data is passed in a single request for an Access Token
Implicit Flow
User logs in but secret is not passed
Resource Owner Password Flow
Application, username and password data is passed in a single request for an
Access Token

6
OPENID CONNECT
Overview

● Built on top of the OAuth 2.0


protocol

● Allows clients to verify the


identity of an end user and
obtains basic profile information

● RESTful HTTP API, using JSON as


a data format

● Like SAML - but not just


webpage centric, easier to
implement.

7
OPENID CONNECT
Layered Security Standards

Specifies JWT for token, and some


OpenID Connect
extensions
Core delegation flows.
OAuth flows Lots of flexibility (perhaps too
much?)
Wide variety of token and
Tokens
encryption standards

8
OPENID CONNECT
Vs OAuth 2.0

OpenID is an open standard for authentication. A user must obtain an OpenID


account through an OpenID identity provider (for example, Google). The user will
then use that account to sign into any website (the relying party) that accepts
OpenID authentication.

OAuth 2.0 is an open standard for authorization. Confusingly, OAuth 2.0 is also
the basis for OpenID Connect. OAuth 2.0 provides secure delegated access,
meaning that an application, called a client, can take actions or access resources
on a resource server on the behalf of a user, without the user sharing their
credentials with the application.

9
OPENID CONNECT
ID Token

● Provides identity information to


Name: John Doe
the application from the
Type: Employee
Authority Server
Issued by:
● Base64 encoded - easy to work
Company
with.
Expiration Date:

02-06-2019

10
JWT (“JOT”)
To The Rescue

● Signed by algo and verified by


only correct key

● Contains user identity in form of


claims (Private, public, reserved)

● For OIDC purpose, SSO is widely


adopted in consumer/enterprise
apps

● Eliminates the need to look up


against a central access control
list

11
RED HAT 3SCALE API MANAGEMENT
System Architecture

Real Time Admin


API Backend Portal

Developer Apps
Config / Authorize
API Manager
API Gateway Policy Management
Policy
Enforcement
Mobile Apps

Swagger Doc Branded Dev Portal

Identity Provider
(IdP)

12
RED HAT 3SCALE API MANAGEMENT
Gateway Operations

● Checks the timestamp for ‘expired’ token.

● Checks the client_id is still valid

● Performs a check on the signature of the JWT using RH SSO

public key

13
AUTHORIZATION CODE FLOW
COMPLETE EXCHANGE
AUTHORIZATION CODE FLOW
An Orientation

User API Management


Resource Identity Provider
Owner API
RH SSO Manager

Application

Browser Resource
Client
Server

Server Side Applications

API
Service
Gateway

Authorization
Server

15
AUTHORIZATION CODE FLOW
#0 - 3scale API Gateway Gets RH SSO Public Key On Configuration Load

User Identity Provider API Management


API
RH SSO Manager

Application

Browser GET
/auth/realms/{realm}

Server Side Applications

API
Service
Gateway

16
AUTHORIZATION CODE FLOW
#1 - User Starts Using The Web App

User Identity Provider API Management


GET
API
onlinestore.com/catalog.html RH SSO Manager

Application

Browser

Server Side Applications

API
Service
Gateway

17
AUTHORIZATION CODE FLOW
#2 - The Application Introduces RH SSO

User Identity Provider API Management


API
RH SSO Manager

Application

GET
Browser
/auth/realms/{realm}/protocol/
openid-connect/auth

Server Side Applications

API
Service
Gateway

18
AUTHORIZATION CODE FLOW
#3 - RH SSO Forwards To Login Form

User Identity Provider API Management


Login Page
API
RH SSO Manager

Application

Browser

Server Side Applications

API
Service
Gateway

19
AUTHORIZATION CODE FLOW
#4 - The User Logs Into RH SSO

User POST {username /


Identity Provider API Management
password}
API
RH SSO Manager

Application

Browser

Server Side Applications

API
Service
Gateway

20
AUTHORIZATION CODE FLOW
#5 - RH SSO Forwards To Consent Page

Consent
User Screen Identity Provider API Management
API
RH SSO Manager

Application

Browser

Server Side Applications

API
Service
Gateway

21
AUTHORIZATION CODE FLOW
#6 - The User Consents

User POST {consent} Identity Provider API Management


API
RH SSO Manager

Application

Browser

Server Side Applications

API
Service
Gateway

22
AUTHORIZATION CODE FLOW
#7 - RH SSO Redirects To Application And Sends An Auth Code

User Identity Provider API Management


API
RH SSO Manager

Application

Browser GET { redirect_uri, code,


state }

Server Side Applications

API
Service
Gateway

23
AUTHORIZATION CODE FLOW
#7.1 - The Temp Auth Code

● Is used to acquire an
access code.
● Think of this as being a
cloakroom ticket - this
can be used once only to
acquire a bearer token.

24
AUTHORIZATION CODE FLOW
#8 - The Web App Calls The Token Endpoint

User Identity Provider API Management


API
RH SSO Manager

Application

Browser POST
/auth/realms/{realm}/protocol/openid-connect/token

Server Side Applications

API
Service
Gateway

25
AUTHORIZATION CODE FLOW
#9 - RH SSO Sends A Valid Bearer Token

User Identity Provider API Management


API
RH SSO Manager

Application

Browser HTTP 200 { access_token, token_type,


expires_in }

Server Side Applications

API
Service
Gateway

26
AUTHORIZATION CODE FLOW
#9.1 - The Bearer Token

"A security token with the property that any party in possession of the token (a
"bearer") can use the token in any way that any other party in possession of it
can"
27
AUTHORIZATION CODE FLOW
#9.2 - The Bearer Token

Authorization: Bearer
QXV0aG9yaXphdGlvbjogQmVhcmVyIA0Kew0KICJqdGkiOiAiYmNiMTFmNDktZTZhZS00NGNhLWIwNzctMzc5MjU5NGYw
ZDk4IiwNCiAiZXhwIjogMTQ5NTI3MjczOSwNCiAibmJmIjogMCwNCiAiaWF0IjogMTQ5NDMyMjMzOSwNCiAiaXNzIjog
Imh0dHA6Ly8wOTY2ZWExZi5uZ3Jvay5pby9hdXRoL3JlYWxtcy9mb3VybWFya3MiLA0KICJhdWQiOiAiNGQ2NTI0MDYi
LA0KICJzdWIiOiAiZDIwZGM0MTUtNzUyZi00YTc5LWEzYTgtNTJlOTVlYTZkZWM2IiwNCiAidHlwIjogIkJlYXJlciIs
DQogImF6cCI6ICI0ZDY1MjQwNiIsDQogInNlc3Npb25fc3RhdGUiOiAiNTVhODQzMjktY2Y2ZC00YjliLWJhOGYtYWJh
MDM3NjRjMjFjIiwNCiAiY2xpZW50X3Nlc3Npb24iOiAiYmYxYTA3MzktYTM5Yy00NTE1LTljMDAtNzhlMTgyNmI4ZDM2
IiwNCiAiYWxsb3dlZC1vcmlnaW5zIjogWw0KICAiaHR0cHM6Ly93d3cuZ2V0cG9zdG1hbi5jb20iDQogXSwNCiAicmVh
bG1fYWNjZXNzIjogew0KICAicm9sZXMiOiBbDQogICAiYWNjZXNzX215X3Jlc291cmNlIg0KICBdDQogfSwNCiAicmVz
b3VyY2VfYWNjZXNzIjogew0KICAiYWNjb3VudCI6IHsNCiAgICJyb2xlcyI6IFsNCiAgICAibWFuYWdlLWFjY291bnQi
LA0KICAgICJ2aWV3LXByb2ZpbGUiDQogICBdDQogIH0NCiB9LA0KICJuYW1lIjogInRlc3QgdXNlciIsDQogInByZWZl
cnJlZF91c2VybmFtZSI6ICJ0ZXN0dXNlciIsDQogImdpdmVuX25hbWUiOiAidGVzdCIsDQogImZhbWlseV9uYW1lIjog
InVzZXIiLA0KICJlbWFpbCI6ICJ0ZXN0QGJsYWguY29tIg0KfQ0K
Accept: */*
Postman-Token: 86b86d4a-8369-40af-8612-9f0d3589fdfb
Cf-Ray: 35c3a94bb1ac35ae-LHR
X-3Scale-Proxy-Secret-Token: Shared_secret_sent_from_proxy_to_API_backend_169ad455fe40801e

What does a bearer token look like?

28
AUTHORIZATION CODE FLOW
#9.3 - The Bearer Token
Authorization: Bearer
{
"jti": "bcb11f49-e6ae-44ca-b077-3792594f0d98",
"exp": 1495272739,
"nbf": 0,
if you base64 decrypt you get: "iat": 1494322339,
"iss": "http://0966ea1f.ngrok.io/auth/realms/fourmarks",
"aud": "4d652406",
"sub": "d20dc415-752f-4a79-a3a8-52e95ea6dec6",
"typ": "Bearer",
"azp": "4d652406",
"session_state": "55a84329-cf6d-4b9b-ba8f-aba03764c21c",
notice the role information "client_session": "bf1a0739-a39c-4515-9c00-78e1826b8d36",
"allowed-origins": [
"https://www.getpostman.com"

the token is a JWT.


],
"realm_access": {
"roles": [
"access_my_resource"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "test user",
"preferred_username": "testuser",
"given_name": "test",
"family_name": "user",
"email": "[email protected]"
}

29
AUTHORIZATION CODE FLOW
#9.4 - The Bearer Token

● Digitally signed by the Auth

Server.

● A Standardised Identity token.

● Contains the username and

roles, but can also add custom

claims.

30
AUTHORIZATION CODE FLOW
#9.5 - Web App Submits The Access Token To Get User Info (Optional)

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser GET
Token
/realms/{realm}/protocol/openid-connect/userinfo

Server Side Applications

API
Service
Gateway

31
AUTHORIZATION CODE FLOW
#9.6 - Web App Receives UserInfo

User Identity Provider API Management


API
RH SSO Manager
HTTP 200
{ user_info }

Application

Access
Browser
Token

Server Side Applications

API
Service
Gateway

32
AUTHORIZATION CODE FLOW
#10 - Web App Submits The Bearer Token

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser
Token

Server Side Applications

API
Service
Gateway

gateway.com/api/catalog
Header: “Authentication: Bearer
{token}”

33
AUTHORIZATION CODE FLOW
#10.1 - Gateway Verifies Token

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser
Token

Server Side Applications

API
Service
Gateway

Verify JWT

34
AUTHORIZATION CODE FLOW
#10.2 - Gateway Requests Auth To API Manager

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser GET
Token
/transactions/authrep.xml

Server Side Applications

API
Service
Gateway

35
AUTHORIZATION CODE FLOW
#10.3 - API Manager Response “Authorized”

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser HTTP 200 { authorized
Token
}

Server Side Applications

API
Service
Gateway

36
AUTHORIZATION CODE FLOW
#10.3 - Gateway Calls Backend API

User Identity Provider API Management


API
RH SSO Manager

Application

Access
Browser
Token

Server Side Applications

API
Service
Gateway

backend.com/buystuff

37
THANK YOU
plus.google.com/+RedHat facebook.com/redhatinc

linkedin.com/company/red-hat twitter.com/RedHatNews

youtube.com/user/
RedHatVideos

You might also like