Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this. In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2

1. Securing RESTful APIs
Using OAuth 2 and OpenID Connect
Jonathan LeBlanc (@jcleblanc)
Global Head of Developer
Evangelism at PayPal

2. Why do we Need This?

3. Poor Password Choices
•
4.7% of users have the password password;
•
8.5% have the passwords password or 123456;
•
9.8% have the passwords password, 123456 or
12345678;
•
14% have a password from the top 10 passwords
•
40% have a password from the top 100 passwords
•
79% have a password from the top 500 passwords
•
91% have a password from the top 1000 passwords

4. …And of What’s Left
1. Pet’s name
2. Significant dates (like a wedding anniversary)
3. Date of birth of close relation
4. Child’s name
5. Other family member’s name
6. Place of birth
7. Favorite holiday
8. Something related to favorite football team
9. Current partner’s name

5. Handing Over Account Passwords

6. Malicious Applications

7. Aspects of Revocation

8. App Revoked by User
App Revoked by
Service Provider

9. Path to the Standard

10. Username & Password to Auth

11. Rise of the Token

12. Two Widely Used Specifications

13. REST Request Components

14. How Requests are Made
curl -v
https://api.sandbox.paypal.com/v1/payments/payme
nt
-H "Content-Type:application/json"
-d '{
"intent": "sale",
"payer": { ... },
"transactions": [{
"amount": { ... }
}]
}'

15. How Auth is Added in
curl -v
https://api.sandbox.paypal.com/v1/payments/payment
-H "Content-Type:application/json"
-H "Authorization: Bearer {accessToken}"
-d '{
"intent": "sale",
"payer": { ... },
"transactions": [{
"amount": { ... }
}]
}'

16. Attack Vectors
Man in the Middle
Replay Attacks
Cross-Site Request
Forgery (CSRF)

17. Adding in the Auth

18. Reasons for Auth
Rate Limiting and Attack Vector Protection
Having the ability to revoke application
access
Needing to allow users to revoke an
applications access to their data

19. When You Need Access Security

20. User Login
(authentication)
User Involvement
(authorization)
Application Only
(monitoring)

21. Practical Implementation

22. Redirect the User to Log In
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (token)
scope
redirect_uri
Browser Redirect
Redirect URI

23. Fetching the Access Token
Fetch the Access Token
Access Token Endpoint
client_id
grant_type
client_secret
code
HTTP POST
Access Token Endpoint

24. Fetching the Access Token
curl https://api.sandbox.paypal.com/v1/oauth2/token
-H "Accept: application/json"
-H "Accept-Language: en_US"
-u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…"
-d "grant_type=client_credentials"

25. Access Token Response
{
"scope": "https://api.paypal.com/v1/payments/.*
https://api.paypal.com/v1/vault/credit-card",
"access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…",
"token_type": "Bearer",
"app_id": "APP-6XR95014SS315863X",
"expires_in": 28800
}

26. Using the Access Token
Fetch Privileged Resources
Resource Endpoint
Token Type (Authorization header)
Access Token (Authorization header)
HTTP GET / PUT / POST /
DELETE
Resource Endpoint

27. Using the Access Token
curl -v
https://api.sandbox.paypal.com/v1/payments/payment
-H "Content-Type:application/json"
-H "Authorization:Bearer EMxItHE7Zl4cMdkv…"
-d "{...}"

28. Maintaining SDK Consistency

29. Defining APIs with WADL / WSDL

30. <?xml version="1.0" encoding="UTF-8"?>
<description xmlns="http://www.w3.org/ns/wsdl" ...>
<types> … </types>
<interface name="Interface1"> … </interface>
<binding name="HttpBinding" interface="tns:Interface1”>
<operation ref="tns:Get" whttp:method="GET"/>
</binding>
<binding name="SoapBinding" interface="tns:Interface1" …>
<operation ref="tns:Get" />
</binding>
<service name="Service1" interface="tns:Interface1">
<endpoint name="HttpEndpoint" binding="tns:HttpBinding"
address="http://www.example.com/rest/"/>
<endpoint name="SoapEndpoint" binding="tns:SoapBinding"
address="http://www.example.com/soap/"/>
</service>
</description>

31. <?xml version="1.0"?>
<application xmlns:xsi=…>
<grammars>
<include href="NewsSearchResponse.xsd"/>
<include href="Error.xsd"/>
</grammars>
<resources base="http://api.search.yahoo.com/NewsSearchService/V1/">
<resource path="newsSearch">
<method name="GET" id="search">
<request>
<param name="appid" type="xsd:string" required="true"/>
<param name="query" type="xsd:string" required="true"/>
</request>
<response status="400">
<representation mediaType="application/xml" element="ya:Error"/>
</response>
</method>
</resource>
</resources>
</application>

32. Genio (templates)
https://github.com/paypal/genio
Genio Parser (model builder)
https://github.com/paypal/genio-parser
Genio Samples
https://github.com/paypal/genio-sample
Building SDKs Automatically

33. Final Considerations
REST and OAuth are specifications,
not religions
Don’t alienate your developers
with security
Open source is your friend

34. Thank You! Questions?
http://slideshare.net/jcleblanc
Jonathan LeBlanc (@jcleblanc)
Global Head of Developer
Evangelism at PayPal