Red Hat 3scale API Management - Security Overview

API SECURITY
API SECURITY
Evolution of API Security
Naked API Simple API Keys Federated Access Control
The Authentication Granddaddy - Basic Auth
2 INSERT DESIGNATOR, IF NEEDED

API SECURITY
Top Schemes
Most API Management platforms supports the following security schemes:
● API Key single token string

● APP ID/APP Key (Basic Auth) two token strings i.e. username, password
● OAuth authentication framework to delegate access
● OpenID Connect (OIDC) simple identity layer on top of OAuth framework
3
OAUTH 2.0
From 20,000 FT
OAuth (Open Authorization) is an User

open standard for access delegation:
Authorize Owns
● One service can request access

to resources on another service
on the behalf of the user.
Published October 2012 Client Resources

Accesses
4
OAUTH 2.0
Terminology
● Resource Owner: generally yourself.

● Resource Server: server hosting protected data (for example Google
hosting your profile).
● Client: application requesting access to a resource server (i.e. a mobile
application).
● Authorization Server: server issuing token to the client. This token will be
used for the client to request the resource server.
5
OAUTH 2.0
Grant / Flow Types
Authorization Code Flow

The most secure and used where a user logs into Identity server and grants
access to Application to retrieve their data
Client Credentials Flow
Only Application data is passed in a single request for an Access Token
Implicit Flow
User logs in but secret is not passed
Resource Owner Password Flow
Application, username and password data is passed in a single request for an
Access Token
6
OPENID CONNECT
Overview
● Built on top of the OAuth 2.0

protocol
● Allows clients to verify the

identity of an end user and
obtains basic profile information
● RESTful HTTP API, using JSON as

a data format
● Like SAML - but not just

webpage centric, easier to
implement.
7
OPENID CONNECT
Layered Security Standards
Specifies JWT for token, and some

OpenID Connect
extensions
Core delegation flows.
OAuth flows Lots of flexibility (perhaps too
much?)
Wide variety of token and
Tokens
encryption standards
8
OPENID CONNECT
Vs OAuth 2.0
OpenID is an open standard for authentication. A user must obtain an OpenID

account through an OpenID identity provider (for example, Google). The user will
then use that account to sign into any website (the relying party) that accepts
OpenID authentication.
OAuth 2.0 is an open standard for authorization. Confusingly, OAuth 2.0 is also
the basis for OpenID Connect. OAuth 2.0 provides secure delegated access,
meaning that an application, called a client, can take actions or access resources
on a resource server on the behalf of a user, without the user sharing their
credentials with the application.
9
OPENID CONNECT
ID Token
● Provides identity information to

Name: John Doe
the application from the
Type: Employee
Authority Server
Issued by:
● Base64 encoded - easy to work
Company
with.
Expiration Date:
02-06-2019
10
JWT (“JOT”)
To The Rescue
● Signed by algo and verified by

only correct key
● Contains user identity in form of

claims (Private, public, reserved)
● For OIDC purpose, SSO is widely

adopted in consumer/enterprise
apps
● Eliminates the need to look up

against a central access control
list
11
RED HAT 3SCALE API MANAGEMENT
System Architecture
Real Time Admin

API Backend Portal
Developer Apps
Config / Authorize
API Manager
API Gateway Policy Management
Policy
Enforcement
Mobile Apps
Swagger Doc Branded Dev Portal
Identity Provider
(IdP)
12
RED HAT 3SCALE API MANAGEMENT
Gateway Operations
● Checks the timestamp for ‘expired’ token.
● Checks the client_id is still valid
● Performs a check on the signature of the JWT using RH SSO
public key
13
AUTHORIZATION CODE FLOW
COMPLETE EXCHANGE
An Orientation
User API Management

Resource Identity Provider
Owner API
RH SSO Manager
Application
Browser Resource
Client
Server
Server Side Applications
API
Service
Gateway
Authorization
Server
15
#0 - 3scale API Gateway Gets RH SSO Public Key On Configuration Load
User Identity Provider API Management

API
RH SSO Manager
Application
Browser GET
/auth/realms/{realm}
API
Service
Gateway
16
#1 - User Starts Using The Web App

GET
API
onlinestore.com/catalog.html RH SSO Manager
Application
Browser
API
Service
Gateway
17
#2 - The Application Introduces RH SSO

API
RH SSO Manager
Application
GET
Browser
/auth/realms/{realm}/protocol/
openid-connect/auth
API
Service
Gateway
18
#3 - RH SSO Forwards To Login Form

Login Page
API
RH SSO Manager
Application
Browser
API
Service
Gateway
19
#4 - The User Logs Into RH SSO
User POST {username /

Identity Provider API Management
password}
API
RH SSO Manager
Application
Browser
API
Service
Gateway
20
#5 - RH SSO Forwards To Consent Page
Consent
User Screen Identity Provider API Management
API
RH SSO Manager
Application
Browser
API
Service
Gateway
21
#6 - The User Consents
User POST {consent} Identity Provider API Management

API
RH SSO Manager
Application
Browser
API
Service
Gateway
22
#7 - RH SSO Redirects To Application And Sends An Auth Code

API
RH SSO Manager
Application
Browser GET { redirect_uri, code,

state }
API
Service
Gateway
23
#7.1 - The Temp Auth Code
● Is used to acquire an
access code.
● Think of this as being a
cloakroom ticket - this
can be used once only to
acquire a bearer token.
24
#8 - The Web App Calls The Token Endpoint

API
RH SSO Manager
Application
Browser POST
/auth/realms/{realm}/protocol/openid-connect/token
API
Service
Gateway
25
#9 - RH SSO Sends A Valid Bearer Token

API
RH SSO Manager
Application
Browser HTTP 200 { access_token, token_type,

expires_in }
API
Service
Gateway
26
#9.1 - The Bearer Token
"A security token with the property that any party in possession of the token (a
"bearer") can use the token in any way that any other party in possession of it
can"
27
Authorization: Bearer
QXV0aG9yaXphdGlvbjogQmVhcmVyIA0Kew0KICJqdGkiOiAiYmNiMTFmNDktZTZhZS00NGNhLWIwNzctMzc5MjU5NGYw
ZDk4IiwNCiAiZXhwIjogMTQ5NTI3MjczOSwNCiAibmJmIjogMCwNCiAiaWF0IjogMTQ5NDMyMjMzOSwNCiAiaXNzIjog
Imh0dHA6Ly8wOTY2ZWExZi5uZ3Jvay5pby9hdXRoL3JlYWxtcy9mb3VybWFya3MiLA0KICJhdWQiOiAiNGQ2NTI0MDYi
LA0KICJzdWIiOiAiZDIwZGM0MTUtNzUyZi00YTc5LWEzYTgtNTJlOTVlYTZkZWM2IiwNCiAidHlwIjogIkJlYXJlciIs
DQogImF6cCI6ICI0ZDY1MjQwNiIsDQogInNlc3Npb25fc3RhdGUiOiAiNTVhODQzMjktY2Y2ZC00YjliLWJhOGYtYWJh
MDM3NjRjMjFjIiwNCiAiY2xpZW50X3Nlc3Npb24iOiAiYmYxYTA3MzktYTM5Yy00NTE1LTljMDAtNzhlMTgyNmI4ZDM2
IiwNCiAiYWxsb3dlZC1vcmlnaW5zIjogWw0KICAiaHR0cHM6Ly93d3cuZ2V0cG9zdG1hbi5jb20iDQogXSwNCiAicmVh
bG1fYWNjZXNzIjogew0KICAicm9sZXMiOiBbDQogICAiYWNjZXNzX215X3Jlc291cmNlIg0KICBdDQogfSwNCiAicmVz
b3VyY2VfYWNjZXNzIjogew0KICAiYWNjb3VudCI6IHsNCiAgICJyb2xlcyI6IFsNCiAgICAibWFuYWdlLWFjY291bnQi
LA0KICAgICJ2aWV3LXByb2ZpbGUiDQogICBdDQogIH0NCiB9LA0KICJuYW1lIjogInRlc3QgdXNlciIsDQogInByZWZl
cnJlZF91c2VybmFtZSI6ICJ0ZXN0dXNlciIsDQogImdpdmVuX25hbWUiOiAidGVzdCIsDQogImZhbWlseV9uYW1lIjog
InVzZXIiLA0KICJlbWFpbCI6ICJ0ZXN0QGJsYWguY29tIg0KfQ0K
Accept: */*
Postman-Token: 86b86d4a-8369-40af-8612-9f0d3589fdfb
Cf-Ray: 35c3a94bb1ac35ae-LHR
X-3Scale-Proxy-Secret-Token: Shared_secret_sent_from_proxy_to_API_backend_169ad455fe40801e
What does a bearer token look like?
28
Authorization: Bearer
{
"jti": "bcb11f49-e6ae-44ca-b077-3792594f0d98",
"exp": 1495272739,
"nbf": 0,
if you base64 decrypt you get: "iat": 1494322339,
"iss": "http://0966ea1f.ngrok.io/auth/realms/fourmarks",
"aud": "4d652406",
"sub": "d20dc415-752f-4a79-a3a8-52e95ea6dec6",
"typ": "Bearer",
"azp": "4d652406",
"session_state": "55a84329-cf6d-4b9b-ba8f-aba03764c21c",
notice the role information "client_session": "bf1a0739-a39c-4515-9c00-78e1826b8d36",
"allowed-origins": [
"https://www.getpostman.com"
the token is a JWT.

],
"realm_access": {
"roles": [
"access_my_resource"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"view-profile"
]
}
},
"name": "test user",
"preferred_username": "testuser",
"given_name": "test",
"family_name": "user",
"email": "[email protected]"
}
29
● Digitally signed by the Auth
Server.
● A Standardised Identity token.
● Contains the username and
roles, but can also add custom
claims.
30
#9.5 - Web App Submits The Access Token To Get User Info (Optional)

API
RH SSO Manager
Application
Access
Browser GET
Token
/realms/{realm}/protocol/openid-connect/userinfo
API
Service
Gateway
31
#9.6 - Web App Receives UserInfo

API
RH SSO Manager
HTTP 200
{ user_info }
Application
Access
Browser
Token
API
Service
Gateway
32
#10 - Web App Submits The Bearer Token

API
RH SSO Manager
Application
Access
Browser
Token
API
Service
Gateway
gateway.com/api/catalog
Header: “Authentication: Bearer
{token}”
33
#10.1 - Gateway Verifies Token

API
RH SSO Manager
Application
Access
Browser
Token
API
Service
Gateway
Verify JWT
34
#10.2 - Gateway Requests Auth To API Manager

API
RH SSO Manager
Application
Access
Browser GET
Token
/transactions/authrep.xml
API
Service
Gateway
35
#10.3 - API Manager Response “Authorized”

API
RH SSO Manager
Application
Access
Browser HTTP 200 { authorized
Token
}
API
Service
Gateway
36
#10.3 - Gateway Calls Backend API

API
RH SSO Manager
Application
Access
Browser
Token
API
Service
Gateway
backend.com/buystuff
37
THANK YOU
plus.google.com/+RedHat facebook.com/redhatinc
linkedin.com/company/red-hat twitter.com/RedHatNews
youtube.com/user/
RedHatVideos

Red Hat 3scale API Management - Security Overview

Uploaded by

Copyright:

Available Formats

Red Hat 3scale API Management - Security Overview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Red Hat 3scale API Management - Security Overview

Uploaded by

Copyright:

Available Formats

API SECURITY

Naked API Simple API Keys Federated Access Control

The Authentication Granddaddy - Basic Auth

2 INSERT DESIGNATOR, IF NEEDED

Most API Management platforms supports the following security schemes:

● API Key single token string

OAuth (Open Authorization) is an User

● One service can request access

Published October 2012 Client Resources

● Resource Owner: generally yourself.

Authorization Code Flow

● Built on top of the OAuth 2.0

● Allows clients to verify the

● RESTful HTTP API, using JSON as

● Like SAML - but not just

Specifies JWT for token, and some

OpenID is an open standard for authentication. A user must obtain an OpenID

● Provides identity information to

● Signed by algo and verified by

● Contains user identity in form of

● For OIDC purpose, SSO is widely

● Eliminates the need to look up

Real Time Admin

Swagger Doc Branded Dev Portal

● Checks the timestamp for ‘expired’ token.

● Checks the client_id is still valid

● Performs a check on the signature of the JWT using RH SSO

User API Management

Server Side Applications

User Identity Provider API Management

Server Side Applications

User Identity Provider API Management

Server Side Applications

User Identity Provider API Management

Server Side Applications

User Identity Provider API Management

Server Side Applications

User POST {username /

Server Side Applications

Server Side Applications

User POST {consent} Identity Provider API Management

Server Side Applications

User Identity Provider API Management

Browser GET { redirect_uri, code,

Server Side Applications

User Identity Provider API Management

Server Side Applications

User Identity Provider API Management

Browser HTTP 200 { access_token, token_type,

Server Side Applications

What does a bearer token look like?

the token is a JWT.

● Digitally signed by the Auth

● A Standardised Identity token.

● Contains the username and

roles, but can also add custom

User Identity Provider API Management

Server Side Applications

User Identity Provider API Management