Web APIs

Licence for this work

This work is produced by John Häggerud for the course 1DV527 at Linnaeus University.

All content in this work excluding photographs, icons, picture of course litterature and Linnaeus University logotype and symbol, is licensied under a
Creative Commons Attribution 4.0 International License.

You are free to

• copy and redistribute the material in any medium or format
• spread the whole or parts of the content
• show the whole or parts of the content publicly and digital
• convert the content to another format
• change the content

If you change the content do not use the photographs, icons, picture of the course literature or Linnaeus University logotype and symbol in your new work!

At all times you must give credit to: ”Linnaeus university – Server-based Web Programming (1DV023/1DV523)” with the link https://coursepress.lnu.se/kurs/serverbaserad-webbprogrammering/ and to the Creative Common-license above.

Content

• Web APIs - Security
  • Attack vectors
  • Authentication/Authorization for APIs
    • HTTP-based
    • Token-based, JWT
    • OAuth 2, Open ID Connect
• Some about
  • Rate limit
  • Filtering/Partial response
  • Versioning
  • Web hooks

Attack vectors - Web APIs

• New technology, old threats
  • Injections, XSS, CSRF...be suspicious!
    • FIEO, Filter input, escape output
  • JSON Schema (http://json-schema.org/)
• HTTPS everywhere!
  • When traffic goes over public nets
• Long lived tokens/passwords/"sessions"
  • Replay attacks
• Authentication/Authorization
  • Protecting resources
  • Stateless? Sessions? Patterns?

Authentication

• 401 Unauthorized
• "You failed to log in, Please try again!"

Authorization

• 403 Forbidden
• "(Maybe) I know who you are but you are not allowed here. Please go away and do not bother me anymore on this URL"

Strategies - AuthN, AuthZ

• Open and public! Read-only!
• HTTP Authentication
• Token-based authentication
• API keys?
• OAuth 2.0 , OpenID Connect
• (Kerberos, Public key, WS-Trust, SAML)

HTTP Basic authentication

Simple, standard, Supported by most technologies

  // Header from Server - A challenge
  401 Unauthorized HTTP/1.1
  WWW-Authenticate: Basic realm="my api"

  // Header from client
  Authorization: Basic Kl52osuDS3DH6H12JDe543

base64-encoding of username/password - not encrypted!!!

HTTP Digest authentication

Token-based solutions

• Avoid sending in URL - There are logging proxies out there
• Use custom header or Authorization header (Bearer)
• Time limit
• Avoid resending username:password each time

API keys

IP84UTvzJKds1Jomx8gIbTXcEEJSUilGqpxCcmnx

• Authentication/Authorization?
  • vs. username/password
  • long-lived?
  • Easy to leak public?
  • "API keys are not API security"
• Track how the API is being used
  • Use API keys for identification and analytics
  • Rate limit
  • Easy to revoke/renew

More about tokens...

JWT ["jot"]

• JSON Web Token
• Industry standard RFC 7519
• Part of "JSON Identity Suite"
  • JWE - Encryption
  • JWA - Algorithms
  • JWK - a JSON data structure that represents a cryptographic key
  • JWS - For signing arbitrary data (information hasn't changed since signed).
• JWTs are self-contained - Carry all info in it self
  • "JSON", great language support
  • Every one can see the info (if not encrypted JSON Web Encryption (JWE))
    • Protected from manipulation
  • Could use multiple JWTs

• Header
• Payload
• Signature

First two is JSON! - but base64encoded

Header

base64encode on the above will get you the first part of the JWT.

Payload

base64encode on the above will get you the middle part of the JWT. Can be read by the client! No sensitive data please!

Payload - registered claims

• iss
  • Issuer. Identifies the party that issued the JWT
• sub
  • Subject. Identifies the party that this JWT carries information about
• aud
  • Audience. Identifies for which this JWT is for
• exp
  • Expire. Number with specific timestamp as defined by POSIX-UNIX-date (sec since 1970-01-01 00:00)
• nbf
  • Not before. Timestamp from when to be valid
• iat
  • issued at. When the JWT was issued
• jti
  • JWT ID. A unique identifier for this JWT

Signature

let encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload);
let signature = HMACSHA256(encodedString, 'secret');

• Secret only known by the server (so it could validate the content)

https://jwt.io/#debugger

OAuth 2

• OAuth is not for Authorization
• OAuth is not for Authentication
• OAuth is a access delegation framework
  • Reduction of sharing credentials with third parts
  • Revoke of access on application level
  • Scopes
  • Access token, refresh token

OAuth 2 - Parts

• Resource Owner - User
• Client - Third-part app, using the API on behalf of the user
• Resource Server - The API, where users data live
• Authorization Server - Where users credentials live

OAuth 2 - Code flow

OpenID Connect

• An standardized authentication protocol based on the OAuth 2.0
  • "Turns many SHOULD into MUST"
• Also get a ID Token (JWT) with info about the identity of the end-user
  • When you want to know more about the user, customize the user experience

Things to think about

• Rate limit
• Versioning
• Partial response
• Web Hooks

Rate Limit

Limit the number of request to the API

• X-RateLimit-Limit - Number of calls during the time slot
• X-RateLimit-Remaining - Number of remaining calls
• X-RateLimit-Reset - Time when the call counter will be reseted
  • Epoch-/POSIX-/UNIXtid
• 429 Too Many Requests

Versioning

GET http://www.api.example.com/v1/products
GET http://www.api.example.com/v2/products

vs.

Accept: application/vnd.coursepress-data+json;version=2.0
Accept: application/vnd.github.v3+json

vs.

HATEOAS

Filtering/Partial response

/users/thajo:(firstname,lastname,email)
/users/thajo?fields=firstname,lastname,email

I http-protokollet finns Content-Range men...

/users?page=3&rpp=25
/users?start=100&count=25
/users?offset=100&limit=25
{
  "prev": "/api/users/?offset=0&limit=25",
  "next": "/api/users/?offset=50&limit=25"
}

Web Hooks

• Server-to-server
• Publish / Subscribe