Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

1. Securing RESTful APIs
Using OAuth 2 and OpenID Connect
Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal North America

2. What We’re Covering
Auth History and REST Concepts
Adding in an Auth Mechanism
Integration in Practice
(server + client side integrations)

3. What We Want

4. The Ultimate Decision
Security Usability

5. Path to the Standard

6. The Insecure, Unmanageable Start

7. Very Secure, Long to Implement

8. Two Currently Widely Used Specs

9. REST Architecture

10. What a RESTful API isn’t
Our API is RESTful, we support GET,
PUT, POST, and DELETE requests
No…actually you just support
HTTP…like the rest of the web.

11. What a RESTful API is
Honor HTTP request verbs
Use proper HTTP status codes
No version numbering in URIs
Return format via HTTP Accept header

12. Does Anyone Actually Do That?
Very few APIs
follow pragmatic
REST principles

13. HATEOAS

14. "links": [{
"href": "https://api.sandbox.paypal.com/v1/payments/
payment/PAY-6RV75EKEYSZ6Y",
"rel": "self",
"method": "GET"
},{
"href": "https://www.sandbox.paypal.com/webscr?
cmd=_express-checkout&token=EC-6019609",
"rel": "approval_url",
"method": "REDIRECT"
},{
"href": "https://api.sandbox.paypal.com/v1/payments/
payment/PAY-6RV75EKEYSZ6Y/execute",
"rel": "execute",
"method": "POST"
}
]

15. Adding Auth Mechanisms

16. Reasons for Auth
Rate Limiting and Attack Vector Protection
Having the ability to revoke application
access
Needing to allow users to revoke an
applications access to their data

17. When You Need Access Security

18. A Few Different Flavors of Usage
User login (authentication)
Application only (bearer tokens)
User Involvement (authorization)

19. Practical Implementation

20. Fetching the Access Token
Fetch the Access Token
Access Token Endpoint
client_id grant_type
client_secret
HTTP POST
Access Token Endpoint

21. Fetching the Access Token
curl https://api.sandbox.paypal.com/v1/oauth2/token
-H "Accept: application/json"
-H "Accept-Language: en_US"
-u "EOJ2S-Z6OoN_le_KS1d75wsZ6y0SFd…"
-d "grant_type=client_credentials"

22. Access Token Response
{
"scope": "https://api.paypal.com/v1/payments/.*
https://api.paypal.com/v1/vault/credit-card",
"access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…",
"token_type": "Bearer",
"app_id": "APP-6XR95014SS315863X",
"expires_in": 28800
}

23. Using the Access Token
Fetch Privileged Resources
Resource Endpoint
Token Type (Authorization header)
Access Token (Authorization header)
HTTP GET / PUT / POST /
DELETE
Resource Endpoint

24. Using the Access Token
curl -v
https://api.sandbox.paypal.com/v1/payments/payment
-H "Content-Type:application/json"
-H "Authorization:Bearer EMxItHE7Zl4cMdkv…"
-d "{...}"

25. A few implementation differences
Endpoints
Scopes (dynamic / static)
Using the Access Token in a request

26. OAuth 2 & JavaScript?

27. The Complexities of JavaScript
The same-origin policy
Keeping private keys private
Not having to provide a hacked
experience

28. The Ways we Made it Work
Server-side proxy
Flash / iframe proxy
Private token storage
mechanism

29. User Agent Flow: Redirect
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (token)
scope redirect_uri
Browser Redirect
Redirect URI

30. User Agent Flow: Redirect
Building the redirect link
var auth_uri = auth_endpoint +
"?response_type=token" +
"&client_id=" + client_id +
"&scope=profile" +
"&redirect_uri=" + window.location;
$("#auth_btn").attr("href", auth_uri);

31. User Agent Flow: Hash Mod
Fetch the Hash Mod
access_token
refresh_token
expires_in
Extract Access Token

32. User Agent Flow: Hash Mod
http://site.com/callback#access_token=rBEGu1FQr5
4AzqE3Q&refresh_token=rEBt51FZr54HayqE3V4a&
expires_in=3600
var hash = document.location.hash;
var match = hash.match(/access_token=(w+)/);
Extracting the access token from the hash

33. User Agent Flow: Get Resources
Set Request Headers + URI
Resource Endpoint
Header: token type + access token
Header: accept data type
HTTPS Request

34. User Agent Flow: Get Resources
$.ajax({
url: resource_uri,
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'OAuth ' + token);
xhr.setRequestHeader('Accept', 'application/json');
},
success: function (response) {
//use response object
}
});
Making an authorized request

35. Using the Skeleton Key

36. How it’s Normally Used
Access user details
Push data through
user social streams

37. But why?
Access token as a
control structure
Improve Existing
Products
Our showcase:
Seamless Checkout

38. The Last Considerations
REST and OAuth are specifications,
not religions
Don’t alienate your developers
with security
Open source is your friend

39. A Few Code Links
OAuth2 & OpenID Connect Samples
https://github.com/jcleblanc/oauth
https://github.com/paypal/paypal-access
Log in with PayPal
http://bit.ly/loginwithpaypal

40. Thank You! Questions?
http://slideshare.net/jcleblanc
Jonathan LeBlanc (@jcleblanc)
Head of Developer Evangelism
PayPal North America