book

API Security in Action

by Neil Madden

January 2021

Intermediate to advanced

576 pages

18h 9m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookWho should read this bookHow this book is organized: A roadmapAbout the codeliveBook discussion forumOther online resourcesabout the authorabout the cover illustration
1.1 An analogy: Taking your driving test1.2 What is an API?1.2.1 API styles1.3 API security in context1.3.1 A typical API deployment1.4 Elements of API security1.4.1 Assets1.4.2 Security goals1.4.3 Environments and threat models1.5 Security mechanisms1.5.1 Encryption1.5.2 Identification and authentication1.5.3 Access control and authorization1.5.4 Audit logging1.5.5 Rate-limitingAnswers to pop quiz questionsSummary
2.1 The Natter API2.1.1 Overview of the Natter API2.1.2 Implementation overview2.1.3 Setting up the project2.1.4 Initializing the database2.2 Developing the REST API2.2.1 Creating a new space2.3 Wiring up the REST endpoints2.3.1 Trying it out2.4 Injection attacks2.4.1 Preventing injection attacks2.4.2 Mitigating SQL injection with permissions2.5 Input validation2.6 Producing safe output2.6.1 Exploiting XSS Attacks2.6.2 Preventing XSS2.6.3 Implementing the protectionsAnswers to pop quiz questionsSummary
3.1 Addressing threats with security controls3.2 Rate-limiting for availability3.2.1 Rate-limiting with Guava3.3 Authentication to prevent spoofing3.3.1 HTTP Basic authentication3.3.2 Secure password storage with Scrypt3.3.3 Creating the password database3.3.4 Registering users in the Natter API3.3.5 Authenticating users3.4 Using encryption to keep data private3.4.1 Enabling HTTPS3.4.2 Strict transport security3.5 Audit logging for accountability3.6 Access control3.6.1 Enforcing authentication3.6.2 Access control lists3.6.3 Enforcing access control in Natter3.6.4 Adding new members to a Natter space3.6.5 Avoiding privilege escalation attacksAnswers to pop quiz questionsSummary
4.1 Authentication in web browsers4.1.1 Calling the Natter API from JavaScript4.1.2 Intercepting form submission4.1.3 Serving the HTML from the same origin4.1.4 Drawbacks of HTTP authentication4.2 Token-based authentication4.2.1 A token store abstraction4.2.2 Implementing token-based login4.3 Session cookies4.3.1 Avoiding session fixation attacks4.3.2 Cookie security attributes4.3.3 Validating session cookies4.4 Preventing Cross-Site Request Forgery attacks4.4.1 SameSite cookies4.4.2 Hash-based double-submit cookies4.4.3 Double-submit cookies for the Natter API4.5 Building the Natter login UI4.5.1 Calling the login API from JavaScript4.6 Implementing logoutAnswers to pop quiz questionsSummary

5.1 Allowing cross-domain requests with CORS5.1.1 Preflight requests5.1.2 CORS headers5.1.3 Adding CORS headers to the Natter API5.2 Tokens without cookies5.2.1 Storing token state in a database5.2.2 The Bearer authentication scheme5.2.3 Deleting expired tokens5.2.4 Storing tokens in Web Storage5.2.5 Updating the CORS filter5.2.6 XSS attacks on Web Storage5.3 Hardening database token storage5.3.1 Hashing database tokens5.3.2 Authenticating tokens with HMAC5.3.3 Protecting sensitive attributesAnswers to pop quiz questionsSummary
6.1 Storing token state on the client6.1.1 Protecting JSON tokens with HMAC6.2 JSON Web Tokens6.2.1 The standard JWT claims6.2.2 The JOSE header6.2.3 Generating standard JWTs6.2.4 Validating a signed JWT6.3 Encrypting sensitive attributes6.3.1 Authenticated encryption6.3.2 Authenticated encryption with NaCl6.3.3 Encrypted JWTs6.3.4 Using a JWT library6.4 Using types for secure API design6.5 Handling token revocation6.5.1 Implementing hybrid tokensAnswers to pop quiz questionsSummary
7.1 Scoped tokens7.1.1 Adding scoped tokens to Natter7.1.2 The difference between scopes and permissions7.2 Introducing OAuth27.2.1 Types of clients7.2.2 Authorization grants7.2.3 Discovering OAuth2 endpoints7.3 The Authorization Code grant7.3.1 Redirect URIs for different types of clients7.3.2 Hardening code exchange with PKCE7.3.3 Refresh tokens7.4 Validating an access token7.4.1 Token introspection7.4.2 Securing the HTTPS client configuration7.4.3 Token revocation7.4.4 JWT access tokens7.4.5 Encrypted JWT access tokens7.4.6 Letting the AS decrypt the tokens7.5 Single sign-on7.6 OpenID Connect7.6.1 ID tokens7.6.2 Hardening OIDC7.6.3 Passing an ID token to an APIAnswers to pop quiz questionsSummary
8.1 Users and groups8.1.1 LDAP groups8.2 Role-based access control8.2.1 Mapping roles to permissions8.2.2 Static roles8.2.3 Determining user roles8.2.4 Dynamic roles8.3 Attribute-based access control8.3.1 Combining decisions8.3.2 Implementing ABAC decisions8.3.3 Policy agents and API gateways8.3.4 Distributed policy enforcement and XACML8.3.5 Best practices for ABACAnswers to pop quiz questionsSummary
9.1 Capability-based security9.2 Capabilities and REST9.2.1 Capabilities as URIs9.2.2 Using capability URIs in the Natter API9.2.3 HATEOAS9.2.4 Capability URIs for browser-based clients9.2.5 Combining capabilities with identity9.2.6 Hardening capability URIs9.3 Macaroons: Tokens with caveats9.3.1 Contextual caveats9.3.2 A macaroon token store9.3.3 First-party caveats9.3.4 Third-party caveatsAnswers to pop quiz questionsSummary
10.1 Microservice APIs on Kubernetes10.2 Deploying Natter on Kubernetes10.2.1 Building H2 database as a Docker container10.2.2 Deploying the database to Kubernetes10.2.3 Building the Natter API as a Docker container10.2.4 The link-preview microservice10.2.5 Deploying the new microservice10.2.6 Calling the link-preview microservice10.2.7 Preventing SSRF attacks10.2.8 DNS rebinding attacks10.3 Securing microservice communications10.3.1 Securing communications with TLS10.3.2 Using a service mesh for TLS10.3.3 Locking down network connections10.4 Securing incoming requestsAnswers to pop quiz questionsSummary
11.1 API keys and JWT bearer authentication11.2 The OAuth2 client credentials grant11.2.1 Service accounts11.3 The JWT bearer grant for OAuth211.3.1 Client authentication11.3.2 Generating the JWT11.3.3 Service account authentication11.4 Mutual TLS authentication11.4.1 How TLS certificate authentication works11.4.2 Client certificate authentication11.4.3 Verifying client identity11.4.4 Using a service mesh11.4.5 Mutual TLS with OAuth211.4.6 Certificate-bound access tokens11.5 Managing service credentials11.5.1 Kubernetes secrets11.5.2 Key and secret management services11.5.3 Avoiding long-lived secrets on disk11.5.4 Key derivation11.6 Service API calls in response to user requests11.6.1 The phantom token pattern11.6.2 OAuth2 token exchangeAnswers to pop quiz questionsSummary
12.1 Transport layer security12.1.1 Datagram TLS12.1.2 Cipher suites for constrained devices12.2 Pre-shared keys12.2.1 Implementing a PSK server12.2.2 The PSK client12.2.3 Supporting raw PSK cipher suites12.2.4 PSK with forward secrecy12.3 End-to-end security12.3.1 COSE12.3.2 Alternatives to COSE12.3.3 Misuse-resistant authenticated encryption12.4 Key distribution and management12.4.1 One-off key provisioning12.4.2 Key distribution servers12.4.3 Ratcheting for forward secrecy12.4.4 Post-compromise securityAnswers to pop quiz questionsSummary
13.1 Authenticating devices13.1.1 Identifying devices13.1.2 Device certificates13.1.3 Authenticating at the transport layer13.2 End-to-end authentication13.2.1 OSCORE13.2.2 Avoiding replay in REST APIs13.3 OAuth2 for constrained environments13.3.1 The device authorization grant13.3.2 ACE-OAuth13.4 Offline access control13.4.1 Offline user authentication13.4.2 Offline authorizationAnswers to pop quiz questionsSummary
A.1 Java and MavenA.1.1 macOSA.1.2 WindowsA.1.3 LinuxA.2 Installing DockerA.3 Installing an Authorization ServerA.3.1 Installing ForgeRock Access ManagementA.4 Installing an LDAP directory serverA.4.1 ForgeRock Directory Services
B.1 MacOSB.1.1 VirtualBoxB.1.2 MinikubeB.2 LinuxB.2.1 VirtualBoxB.2.2 MinikubeB.3 WindowsB.3.1 VirtualBoxB.3.2 Minikube

Content preview from API Security in Action

6 Self-contained tokens and JWTs

This chapter covers

Scaling token-based authentication with encrypted client-side storage
Protecting tokens with MACs and authenticated encryption
Generating standard JSON Web Tokens
Handling token revocation when all the state is on the client

You’ve shifted the Natter API over to using the database token store with tokens stored in Web Storage. The good news is that Natter is really taking off. Your user base has grown to millions of regular users. The bad news is that the token database is struggling to cope with this level of traffic. You’ve evaluated different database backends, but you’ve heard about stateless tokens that would allow you to get rid of the database entirely. Without a database slowing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Advanced API Security: OAuth 2.0 and Beyond

Prabath Siriwardena

Spring Security in Action

Laurentiu Spilca

Logging in Action

Phil Wilkins

Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE

Prabath Siriwardena

Publisher Resources

ISBN: 9781617296024Supplemental Content Publisher Support Other Publisher Website Supplemental Content Purchase Link