Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE

Book description

AdvancedAPI Security is a complete reference to the next wave of challenges in enterprise security--securing public and private APIs.

API adoption in both consumer and enterprises has gone beyond predictions. It has become the ‘coolest’ way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed. Security is not an afterthought, but API security has evolved a lot in last five years. The growth of standards, out there, has been exponential.

That's where AdvancedAPI Security comes in--to wade through the weeds and help you keep the bad guys away while realizing the internal and external benefits of developing APIs for your services. Our expert author guides you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. The book will explain, in depth, securing APIs from quite traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it.

Build APIs with rock-solid security today with Advanced API Security.

  • Takes you through the best practices in designing APIs for rock-solid security.
  • Provides an in depth tutorial of most widely adopted security standards for API security.
  • Teaches you how to compare and contrast different security standards/protocols to find out what suits your business needs the best.
  • Table of contents

    1. Cover
    2. Title
    3. Copyright
    4. Dedication
    5. Contents at a Glance
    6. Contents
    7. About the Author
    8. About the Technical Reviewer
    9. Acknowledgments
    10. Introduction
    11. Chapter 1: Managed APIs
      1. The API Evolution
      2. API vs. Managed API
      3. API vs. Service
      4. Discovering and Describing APIs
      5. Managed APIs in Practice
        1. Twitter API
        2. Salesforce API
      6. Summary
    12. Chapter 2: Security by Design
      1. Design Challenges
        1. User Comfort
      2. Design Principles
        1. Least Privilege
        2. Fail-Safe Defaults
        3. Economy of Mechanism
        4. Complete Mediation
        5. Open Design
        6. Separation of Privilege
        7. Least Common Mechanism
        8. Psychological Acceptability
      3. Confidentiality, Integrity, Availability (CIA)
        1. Confidentiality
        2. Integrity
        3. Availability
      4. Security Controls
        1. Authentication
        2. Authorization
        3. Nonrepudiation
        4. Auditing
      5. Security Patterns
        1. Direct Authentication Pattern
        2. Sealed Green Zone Pattern
        3. Least Common Mechanism Pattern
        4. Brokered Authentication Pattern
        5. Policy-Based Access Control Pattern
      6. Threat Modeling
      7. Summary
    13. Chapter 3: HTTP Basic/Digest Authentication
      1. HTTP Basic Authentication
      2. HTTP Digest Authentication
      3. Summary
    14. Chapter 4: Mutual Authentication with TLS
      1. Evolution of TLS
      2. How TLS Works
      3. TLS Handshake
      4. Application Data Transfer
      5. Summary
    15. Chapter 5: Identity Delegation
      1. Direct Delegation vs. Brokered Delegation
      2. Evolution of Identity Delegation
        1. Google ClientLogin
        2. Google AuthSub
        3. Flickr Authentication API
        4. Yahoo! Browser-Based Authentication (BBAuth)
      3. Summary
    16. Chapter 6: OAuth 1.0
      1. The Token Dance
        1. Temporary-Credential Request Phase
        2. Resource-Owner Authorization Phase
        3. Token-Credential Request Phase
        4. Invoking a Secured Business API with OAuth 1.0
      2. Demystifying oauth_signature
      3. Three-Legged OAuth vs. Two-Legged OAuth
      4. OAuth WRAP
      5. Summary
    17. Chapter 7: OAuth 2.0
      1. OAuth WRAP
        1. Client Account and Password Profile
        2. Assertion Profile
        3. Username and Password Profile
        4. Web App Profile
        5. Rich App Profile
      2. Accessing a WRAP-Protected API
      3. WRAP to OAuth 2.0
      4. OAuth 2.0 Grant Types
        1. Authorization Code Grant Type
        2. Implicit Grant Type
        3. Resource Owner Password Credentials Grant Type
        4. Client Credentials Grant Type
      5. OAuth 2.0 Token Types
        1. OAuth 2.0 Bearer Token Profile
      6. OAuth 2.0 Client Types
      7. OAuth 2.0 and Facebook
      8. OAuth 2.0 and LinkedIn
      9. OAuth 2.0 and Salesforce
      10. OAuth 2.0 and Google
      11. Authentication vs. Authorization
      12. Summary
    18. Chapter 8: OAuth 2.0 MAC Token Profile
      1. Bearer Token vs. MAC Token
      2. Obtaining a MAC Token
      3. Invoking an API Protected with the OAuth 2.0 MAC Token Profile
      4. Calculating the MAC
      5. MAC Validation by the Resource Server
      6. OAuth Grant Types and the MAC Token Profile
      7. OAuth 1.0 vs. OAuth 2.0 MAC Token Profile
      8. Summary
    19. Chapter 9: OAuth 2.0 Profiles
      1. Token Introspection Profile
        1. XACML and OAuth Token Introspection
      2. Chain Grant Type Profile
      3. Dynamic Client Registration Profile
      4. Token Revocation Profile
      5. Summary
    20. Chapter 10: User Managed Access (UMA)
      1. ProtectServe
        1. UMA and OAuth
      2. UMA Architecture
      3. UMA Phases
        1. UMA Phase 1: Protecting a Resource
        2. UMA Phase 2: Getting Authorization
        3. UMA Phase 3: Accessing the Protected Resource
      4. UMA APIs
        1. Protection API
        2. Authorization API
      5. The Role of UMA in API Security
      6. Summary
    21. Chapter 11: Federation
      1. Enabling Federation
      2. Brokered Authentication
      3. SAML 2.0 Profile for OAuth: Client Authentication
      4. SAML 2.0 Profile for OAuth: Grant Type
      5. JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
      6. Summary
    22. Chapter 12: OpenID Connect
      1. A Brief History of OpenID Connect
      2. Understanding OpenID Connect
        1. Anatomy of the ID Token
        2. OpenID Connect Request
        3. Requesting User Attributes
        4. Grant Types for OpenID Connect
        5. Requesting Custom User Attributes
        6. OpenID Connect Discovery
        7. OpenID Connect Identity Provider Metadata
        8. OpenID Connect Dynamic Client Registration
        9. OpenID Connect for Securing APIs
      3. Summary
    23. Chapter 13: JWT, JWS, and JWE
      1. JSON Web Token
      2. JOSE Working Group
      3. JSON Web Signature
        1. Signature Algorithms
        2. Serialization
      4. JSON Web Encryption
        1. Content Encryption vs. Key Wrapping
        2. Serialization
      5. Summary
    24. Chapter 14: Patterns and Practices
      1. Direct Authentication with the Trusted Subsystem Pattern
      2. Single Sign-On with the Delegated Access Control Pattern
      3. Single Sign-On with the Integrated Windows Authentication Pattern
      4. Identity Proxy with the Delegated Access Control Pattern
      5. Delegated Access Control with the JSON Web Token Pattern
      6. Nonrepudiation with the JSON Web Signature Pattern
      7. Chained Access Delegation Pattern
      8. Trusted Master Access Delegation Pattern
      9. Resource Security Token Service (STS) with the Delegated Access Control Pattern
      10. Delegated Access Control with the Hidden Credentials Pattern
      11. Summary
    25. Index

    Product information

    • Title: Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE
    • Author(s):
    • Release date: August 2014
    • Publisher(s): Apress
    • ISBN: 9781430268178