rest api security - o'reilly · 2020. 7. 13. · jwt . request validator api. application...
TRANSCRIPT
REST API Security
Jamie WallaceEBSCO LearningExpress
Physics
25 Years in Software
Director of Software Development
What is REST?Security?Solutions
Implementation
What is REST?Security?Solutions
Implementation
What is REST?Security?Solutions
Implementation
What is REST?Security?Solutions
Implementation
REST
REST
tate
presentational
ransfer
CRUDHTTP verbs
using
API keymost web services only use an
RequestRequestRequest Validator API
Key
Key
Request Validator API
Key
Request
Validator API
Request
Validator API
Server Side
Client Side
Authorized clientValid and unmodified requestNo replay attacksAll users
Authorized clientValid and unmodified requestNo replay attacksAll users
Authorized clientValid and unmodified requestNo replay attacksAll users
Authorized clientValid and unmodified requestNo replay attacksAll users
Domain Cookie Solution
Time based One Time Password
JSON Web Token
Request
SessionID Header
SessionID Cookie
Validator API
Request
SessionID Header
SessionID Cookie
Validator API
Request
SessionID Header
SessionID Cookie
Validator API
Request
Validator API
Single Domain
Multiple Domain
Request
SessionID Header
SessionID Cookie
Validator API
Domain Cookie Solution
Time based One Time Password
JSON Web Token
Time Periods
Key
HMAC
TOTPTime PeriodsKeyHMAC
ÇKeyHMAC TOTP
Request Validator API
TOTP
Request Validator API
TOTP
Request
Validator API
TOTP
Request
Validator API
Domain Cookie Solution
Time based One Time Password
JSON Web Token
Header
Key
HMACPayload
SignatureKeyPayloadHeaderSignatureHMAC
KeyPayloadHeaderHMAC Signature
Request Validator API
JWT
Request Validator API
JWT
Request
Validator API
JWT
Request
Validator API
Application Fingerprint
JWT with
Signature Service
TS
String
TS
115GHI
115DEF
115ABC
Key
10
20
30
HMAC
115GHIString
TS TS
115DEF
115ABC
Key
10
20
30
HMAC
115GHIString
TS TS
115DEF
115ABC
Key
10
20
30
HMAC Hash
Encrypting JWT with
Encryption Service
TS
String
TS
115GHI
115DEF
115ABC
Key
10
20
30
HMAC
115GHIString
TS TS
115DEF
115ABC
Key
10
20
30
HMAC
115GHIString
TS TS
115DEF
115ABC
Key
10
20
30
HMACEncrypted
or Decrypted String
Client ManagerValidator
Signature ServiceEncryption Service
Key Store
Client ManagerValidator
Signature ServiceEncryption Service
Key Store
Client ManagerValidator
Signature ServiceEncryption Service
Key Store
Client ManagerValidator
Signature ServiceEncryption Service
Key Store
Client ManagerValidator
Signature ServiceEncryption Service
Key Store
Q & A