book

Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE

Name: Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE
Author: Prabath Siriwardena
ISBN: 9781430268178

by Prabath Siriwardena

August 2014

Intermediate to advanced

260 pages

7h 18m

English

Apress

Read now

Unlock full access

Cover
Title
Copyright
Dedication
Contents at a Glance
Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction

Chapter 1: Managed APIs
The API EvolutionAPI vs. Managed APIAPI vs. ServiceDiscovering and Describing APIsManaged APIs in PracticeTwitter APISalesforce APISummary
Chapter 2: Security by Design
Design ChallengesUser ComfortDesign PrinciplesLeast PrivilegeFail-Safe DefaultsEconomy of MechanismComplete MediationOpen DesignSeparation of PrivilegeLeast Common MechanismPsychological AcceptabilityConfidentiality, Integrity, Availability (CIA)ConfidentialityIntegrityAvailabilitySecurity ControlsAuthenticationAuthorizationNonrepudiationAuditingSecurity PatternsDirect Authentication PatternSealed Green Zone PatternLeast Common Mechanism PatternBrokered Authentication PatternPolicy-Based Access Control PatternThreat ModelingSummary
Chapter 3: HTTP Basic/Digest Authentication
HTTP Basic AuthenticationHTTP Digest AuthenticationSummary
Chapter 4: Mutual Authentication with TLS
Evolution of TLSHow TLS WorksTLS HandshakeApplication Data TransferSummary
Chapter 5: Identity Delegation
Direct Delegation vs. Brokered DelegationEvolution of Identity DelegationGoogle ClientLoginGoogle AuthSubFlickr Authentication APIYahoo! Browser-Based Authentication (BBAuth)Summary
Chapter 6: OAuth 1.0
The Token DanceTemporary-Credential Request PhaseResource-Owner Authorization PhaseToken-Credential Request PhaseInvoking a Secured Business API with OAuth 1.0Demystifying oauth_signatureThree-Legged OAuth vs. Two-Legged OAuthOAuth WRAPSummary
Chapter 7: OAuth 2.0
OAuth WRAPClient Account and Password ProfileAssertion ProfileUsername and Password ProfileWeb App ProfileRich App ProfileAccessing a WRAP-Protected APIWRAP to OAuth 2.0OAuth 2.0 Grant TypesAuthorization Code Grant TypeImplicit Grant TypeResource Owner Password Credentials Grant TypeClient Credentials Grant TypeOAuth 2.0 Token TypesOAuth 2.0 Bearer Token ProfileOAuth 2.0 Client TypesOAuth 2.0 and FacebookOAuth 2.0 and LinkedInOAuth 2.0 and SalesforceOAuth 2.0 and GoogleAuthentication vs. AuthorizationSummary
Chapter 8: OAuth 2.0 MAC Token Profile
Bearer Token vs. MAC TokenObtaining a MAC TokenInvoking an API Protected with the OAuth 2.0 MAC Token ProfileCalculating the MACMAC Validation by the Resource ServerOAuth Grant Types and the MAC Token ProfileOAuth 1.0 vs. OAuth 2.0 MAC Token ProfileSummary
Chapter 9: OAuth 2.0 Profiles
Token Introspection ProfileXACML and OAuth Token IntrospectionChain Grant Type ProfileDynamic Client Registration ProfileToken Revocation ProfileSummary
Chapter 10: User Managed Access (UMA)
ProtectServeUMA and OAuthUMA ArchitectureUMA PhasesUMA Phase 1: Protecting a ResourceUMA Phase 2: Getting AuthorizationUMA Phase 3: Accessing the Protected ResourceUMA APIsProtection APIAuthorization APIThe Role of UMA in API SecuritySummary
Chapter 11: Federation
Enabling FederationBrokered AuthenticationSAML 2.0 Profile for OAuth: Client AuthenticationSAML 2.0 Profile for OAuth: Grant TypeJWT Profile for OAuth 2.0 Client Authentication and Authorization GrantsSummary
Chapter 12: OpenID Connect
A Brief History of OpenID ConnectUnderstanding OpenID ConnectAnatomy of the ID TokenOpenID Connect RequestRequesting User AttributesGrant Types for OpenID ConnectRequesting Custom User AttributesOpenID Connect DiscoveryOpenID Connect Identity Provider MetadataOpenID Connect Dynamic Client RegistrationOpenID Connect for Securing APIsSummary
Chapter 13: JWT, JWS, and JWE
JSON Web TokenJOSE Working GroupJSON Web SignatureSignature AlgorithmsSerializationJSON Web EncryptionContent Encryption vs. Key WrappingSerializationSummary
Chapter 14: Patterns and Practices
Direct Authentication with the Trusted Subsystem PatternSingle Sign-On with the Delegated Access Control PatternSingle Sign-On with the Integrated Windows Authentication PatternIdentity Proxy with the Delegated Access Control PatternDelegated Access Control with the JSON Web Token PatternNonrepudiation with the JSON Web Signature PatternChained Access Delegation PatternTrusted Master Access Delegation PatternResource Security Token Service (STS) with the Delegated Access Control PatternDelegated Access Control with the Hidden Credentials PatternSummary
Index

Overview

AdvancedAPI Security is a complete reference to the next wave of challenges in enterprise security--securing public and private APIs.

API adoption in both consumer and enterprises has gone beyond predictions. It has become the ‘coolest’ way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. Security is not an afterthought, but API security has evolved a lot in last five years. The growth of standards, out there, has been exponential.

That's where AdvancedAPI Security comes in--to wade through the weeds and help you keep the bad guys away while realizing the internal and external benefits of developing APIs for your services. Our expert author guides you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. The book will explain, in depth, securing APIs from quite traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it.

Build APIs with rock-solid security today with Advanced API Security.

Takes you through the best practices in designing APIs for rock-solid security.

Provides an in depth tutorial of most widely adopted security standards for API security.

Teaches you how to compare and contrast different security standards/protocols to find out what suits your business needs the best.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Advanced API Security: OAuth 2.0 and Beyond

Publisher Resources

ISBN: 9781430268178Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills