Constructing a successful and simple API is the lifeblood of your developer community. As we construct our API we need a secure way to authenticate and track apps & requests; OAuth 2 provides us with a secure and open way of doing just this.
In this talk, we will examine REST and OAuth 2 as standards for building secure API infrastructures, exploring architectural decisions in choosing REST standard variations and implementations of OAuth 2
3. Poor Password Choices
•
4.7% of users have the password password;
•
8.5% have the passwords password or 123456;
•
9.8% have the passwords password, 123456 or
12345678;
•
14% have a password from the top 10 passwords
•
40% have a password from the top 100 passwords
•
79% have a password from the top 500 passwords
•
91% have a password from the top 1000 passwords
4. …And of What’s Left
1. Pet’s name
2. Significant dates (like a wedding anniversary)
3. Date of birth of close relation
4. Child’s name
5. Other family member’s name
6. Place of birth
7. Favorite holiday
8. Something related to favorite football team
9. Current partner’s name
18. Reasons for Auth
Rate Limiting and Attack Vector Protection
Having the ability to revoke application
access
Needing to allow users to revoke an
applications access to their data
22. Redirect the User to Log In
Prepare the Redirect URI
Authorization Endpoint
client_id response_type (token)
scope
redirect_uri
Browser Redirect
Redirect URI
23. Fetching the Access Token
Fetch the Access Token
Access Token Endpoint
client_id
grant_type
client_secret
code
HTTP POST
Access Token Endpoint
26. Using the Access Token
Fetch Privileged Resources
Resource Endpoint
Token Type (Authorization header)
Access Token (Authorization header)
HTTP GET / PUT / POST /
DELETE
Resource Endpoint
27. Using the Access Token
curl -v
https://api.sandbox.paypal.com/v1/payments/payment
-H "Content-Type:application/json"
-H "Authorization:Bearer EMxItHE7Zl4cMdkv…"
-d "{...}"