Enhancing API Security and Privacy Through Hardening the Access Token | apidays New York 2024

Curityio 40 views 32 slides May 07, 2024
Slide 1
Slide 1 of 32
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32

About This Presentation

Slides from Jonas Iggbom's workshop on enhancing API security and privacy through hardening the access token.

apidays New York, April 30 - May 2, 2024

Size: 1.79 MB
Language: en
Added: May 07, 2024
Slides: 32 pages

Slide Content

Enhancing API Security and Privacy Through Hardening the Access Token

Jonas Iggbom Director of Sales Engineering

Who needs secure APIs? mTLS Sender-constrained access tokens PAR JARM The Phantom Token Pattern Agenda

Who Needs Secure APIs? Finance Medical Sensitive data

mTLS

TLS Client Server

mTLS = mutual TLS Client

Sender-constrained tokens

Bearer tokens Sender-constrained tokens / Proof-of-Possession tokens Sender-constrained Tokens

Client 2 Client 1 Bearer Tokens API API Gateway

Client 2 Client 1 Sender-constrained Tokens API Gateway API

Client Authorization Server private key mTLS mTLS Sender-constrained Tokens API Gateway API

Proof-of-Possession for JWTs Standard defined in RFC 7800. Adds a “cnf” (confirmation) claim to the token, which enables the recipient to verify the caller.

PoP JWTs with “cnf” claim Client API API Gateway Authorization Server public key private key + proof of { “cnf”: { “kid”: “1234” } } + proof of

OAuth 2.0 Demonstrating Proof of Possession (DPoP) Standard defined in RFC 9449. Sender constrained tokens with JWT-bases proofs. Useful when it is not possible to use mTLS.

Pushed Authorization Requests (PAR)

Pushed Authorization Requests Standard defined in RFC 9126. Provides means for confidential and integrity-protected authorization requests.

HTTP 400 Standard OAuth Authorization Requests GET /authorize?client_id=abc&scopes=read%20write HTTP 302 Location: /cb?code=123 Is that a legitimate client? Are the parameters OK? Can these end up in the browser logs? Client Authorization Server

Pushed Authorization Requests POST /authorize/par Authorization: Basic 0JjQlNCYOtCd0JDQpdCj0Jkh client_id=abc&scopes=read%20write request_id: 1234 GET /authorize?request_id=1234 Client Authorization Server

Pushed Authorization Requests The client is authenticated before the authorization request Authorization request parameters can’t be tampered with Request parameters do not traverse through unsecure transport URL limitations are no longer a concern Ability to ease on redirect URI restrictions

JWT Secured Authorization Response Mode (JARM)

JWT Secured Authorization Response Mode A specification from the OpenID Foundation Protects against attacks on the authorization code response

Standard Response GET /authorize?client_id=abc&scopes=read%20write… HTTP 302 Location: https://example.com/cb?code=abcdef&state=1234 Was it issued by the correct Authorization Server? Does this code belong to this state? Client Authorization Server

JWT Secured Response GET /authorize?client_id=abc&scopes=read%20write… HTTP 302 Location: https://example.com/cb?response=eyJhbGciOiJSUzN… decode & verify { iss: https://idsvr.example.com , code: “abcdef”, state: “12345”, … } Client Authorization Server

JWT Secured Authorization Response Mode The code response is integrity-protected. Response parameters strongly coupled (mitigates replay attacks). Protection from mix-up attacks (ability to verify iss claim).

The Phantom Token Pattern

By-value vs. By-reference Client JWT Authorization Server opaque

By-value vs. By-reference Opaque tokens should always be your preferred choice: Data in a JWT is meant for the API, not the client Data in a JWT is public – danger of releasing PII or information about your API Risk of damaging integrations with incompatible changes

Client Token Introspection opaque Authorization Server API Gateway API

Token Introspection Client Service 1 Service 2 opaque Authorization Server API Gateway API

The Phantom Token Flow Client API Service 1 Service 2 Authorization Server opaque JWT API Gateway

The Phantom Token Flow Client API Authorization Server = Cache API Gateway
Tags
jwt oauth api security access tokens tokens
Categories
Business Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 40
  • Slides 32
  • Favorites 1
  • Age 574 days
Related Slideshows
DTI BPI Pivot Small Business - BUSINESS START UP PLAN 1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
30 views
CATHOLIC EDUCATIONAL Corporate Responsibilities 1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
Karin Schaupp – Evocation; lançamento: 2000 11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
Pillars of Biblical Oneness in the Book of Acts 10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
7-10. STP + Branding and Product & Services Strategies.pptx 31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
Business Legislation PPT - UNIT 1 jimllpkggg 44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views
View More in This Category