Advanced API Security
Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE
Published on 28. August 2014
XIV, 260 pages
978-1-4302-6817-8 (ISBN)
Description
Advanced API Security is a complete reference to the next wave of challenges in enterprise security--securing public and private APIs. API adoption in both consumer and enterprises has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. Security is not an afterthought, but API security has evolved a lot in last five years. The growth of standards, out there, has been exponential. That's where AdvancedAPI Security comes in--to wade through the weeds and help you keep the bad guys away while realizing the internal and external benefits of developing APIs for your services. Our expert author guides you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. The book will explain, in depth, securing APIs from quite traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it. Build APIs with rock-solid security today with Advanced API Security.Takes you through the best practices in designing APIs for rock-solid security.Provides an in depth tutorial of most widely adopted security standards for API security.Teaches you how to compare and contrast different security standards/protocols to find out what suits your business needs the best.
More details
Other editions
New editions
E-Book
12/2019
2nd Edition
APress
€46.99
Available for download
Additional editions
Book
08/2014
Apress
€64.19
Article exhausted; check for reprint
Person
Prabath Siriwardena is the Director of Security Architecture at WSO2 Inc., a company that produces a wide variety of open source software from data to screen. He is a member of OASIS Identity Metasystem Interoperability (IMI) TC,OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC and OASIS Cloud Authorization (CloudAuthZ) TC. Prabath is also a member of Apache Axis PMC and has spoken at numerous international conferences including OSCON, ApacheCon, WSO2Con, EIC, IDentity Next and OSDC. He has more than 9 years industry experience and has worked with many Fortune 100 companies.
Content
- Intro
- Contents at a Glance
- Contents
- About the Author
- About the Technical Reviewer
- Acknowledgments
- Introduction
- Chapter 1: Managed APIs
- The API Evolution
- API vs. Managed API
- API vs. Service
- Discovering and Describing APIs
- Managed APIs in Practice
- Twitter API
- Salesforce API
- Summary
- Chapter 2: Security by Design
- Design Challenges
- User Comfort
- Performance
- Weakest Link
- Defense in Depth
- Insider Attacks
- Security by Obscurity
- Design Principles
- Least Privilege
- Fail-Safe Defaults
- Economy of Mechanism
- Complete Mediation
- Open Design
- Separation of Privilege
- Least Common Mechanism
- Psychological Acceptability
- Confidentiality, Integrity, Availability (CIA)
- Confidentiality
- Integrity
- Availability
- Security Controls
- Authentication
- Something You Know
- Something You Have
- Something You Are
- Authorization
- Discretionary Access Control (DAC) vs. Mandatory Access Control (MAC)
- Nonrepudiation
- Auditing
- Security Patterns
- Direct Authentication Pattern
- Managing Credentials
- Biometric Authentication
- Sealed Green Zone Pattern
- Least Common Mechanism Pattern
- Brokered Authentication Pattern
- Policy-Based Access Control Pattern
- Threat Modeling
- Summary
- Chapter 3: HTTP Basic/Digest Authentication
- HTTP Basic Authentication
- HTTP Digest Authentication
- Summary
- Chapter 4: Mutual Authentication with TLS
- Evolution of TLS
- How TLS Works
- TLS Handshake
- Application Data Transfer
- Summary
- Chapter 5: Identity Delegation
- Direct Delegation vs. Brokered Delegation
- Evolution of Identity Delegation
- Google ClientLogin
- Google AuthSub
- Flickr Authentication API
- Yahoo! Browser-Based Authentication (BBAuth)
- Summary
- Chapter 6: OAuth 1.0
- The Token Dance
- Temporary-Credential Request Phase
- Resource-Owner Authorization Phase
- Token-Credential Request Phase
- Invoking a Secured Business API with OAuth 1.0
- Demystifying oauth_signature
- Three-Legged OAuth vs. Two-Legged OAuth
- OAuth WRAP
- Summary
- Chapter 7: OAuth 2.0
- OAuth WRAP
- Client Account and Password Profile
- Assertion Profile
- Username and Password Profile
- Web App Profile
- Rich App Profile
- Accessing a WRAP-Protected API
- WRAP to OAuth 2.0
- OAuth 2.0 Grant Types
- Authorization Code Grant Type
- Implicit Grant Type
- Resource Owner Password Credentials Grant Type
- Client Credentials Grant Type
- OAuth 2.0 Token Types
- OAuth 2.0 Bearer Token Profile
- OAuth 2.0 Client Types
- OAuth 2.0 and Facebook
- OAuth 2.0 and LinkedIn
- OAuth 2.0 and Salesforce
- OAuth 2.0 and Google
- Authentication vs. Authorization
- Summary
- Chapter 8: OAuth 2.0 MAC Token Profile
- Bearer Token vs. MAC Token
- Obtaining a MAC Token
- Invoking an API Protected with the OAuth 2.0 MAC Token Profile
- Calculating the MAC
- MAC Validation by the Resource Server
- OAuth Grant Types and the MAC Token Profile
- OAuth 1.0 vs. OAuth 2.0 MAC Token Profile
- Summary
- Chapter 9: OAuth 2.0 Profiles
- Token Introspection Profile
- XACML and OAuth Token Introspection
- Chain Grant Type Profile
- Dynamic Client Registration Profile
- Token Revocation Profile
- Summary
- Chapter 10: User Managed Access (UMA)
- ProtectServe
- UMA and OAuth
- UMA Architecture
- UMA Phases
- UMA Phase 1: Protecting a Resource
- UMA Phase 2: Getting Authorization
- UMA Phase 3: Accessing the Protected Resource
- UMA APIs
- Protection API
- Authorization API
- The Role of UMA in API Security
- Summary
- Chapter 11: Federation
- Enabling Federation
- Brokered Authentication
- SAML 2.0 Profile for OAuth: Client Authentication
- SAML 2.0 Profile for OAuth: Grant Type
- JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
- Summary
- Chapter 12: OpenID Connect
- A Brief History of OpenID Connect
- Understanding OpenID Connect
- Anatomy of the ID Token
- OpenID Connect Request
- Requesting User Attributes
- Grant Types for OpenID Connect
- Requesting Custom User Attributes
- OpenID Connect Discovery
- OpenID Connect Identity Provider Metadata
- OpenID Connect Dynamic Client Registration
- OpenID Connect for Securing APIs
- Summary
- Chapter 13: JWT, JWS, and JWE
- JSON Web Token
- JOSE Working Group
- JSON Web Signature
- Signature Algorithms
- Serialization
- JSON Web Encryption
- Content Encryption vs. Key Wrapping
- Serialization
- Summary
- Chapter 14: Patterns and Practices
- Direct Authentication with the Trusted Subsystem Pattern
- Single Sign-On with the Delegated Access Control Pattern
- Single Sign-On with the Integrated Windows Authentication Pattern
- Identity Proxy with the Delegated Access Control Pattern
- Delegated Access Control with the JSON Web Token Pattern
- Nonrepudiation with the JSON Web Signature Pattern
- Chained Access Delegation Pattern
- Trusted Master Access Delegation Pattern
- Resource Security Token Service (STS) with the Delegated Access Control Pattern
- Delegated Access Control with the Hidden Credentials Pattern
- Summary
- Index
