Upload File

rest api security - o'reilly · 2020. 7. 13. · jwt . request validator api. application...

  • Home
  • Documents
  • REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC
57
REST API Security Jamie Wallace EBSCO LearningExpress

Upload: others

Post on 23-Mar-2021

18 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

REST API Security

Jamie WallaceEBSCO LearningExpress

Page 2: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Physics

25 Years in Software

Director of Software Development

Page 3: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

What is REST?Security?Solutions

Implementation

Page 4: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

What is REST?Security?Solutions

Implementation

Page 5: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

What is REST?Security?Solutions

Implementation

Page 6: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

What is REST?Security?Solutions

Implementation

Page 7: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

REST

Page 8: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

REST

tate

presentational

ransfer

Page 9: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

CRUDHTTP verbs

using

Page 10: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

API keymost web services only use an

Page 11: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

RequestRequestRequest Validator API

Key

Page 12: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Key

Request Validator API

Page 13: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Key

Request

Validator API

Page 14: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

Page 15: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Server Side

Client Side

Page 16: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 17: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 18: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 19: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Authorized clientValid and unmodified requestNo replay attacksAll users

Page 20: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 21: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

SessionID Header

SessionID Cookie

Validator API

Page 22: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

SessionID Header

SessionID Cookie

Validator API

Page 23: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

SessionID Header

SessionID Cookie

Validator API

Page 24: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

Page 25: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Single Domain

Multiple Domain

Page 26: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

SessionID Header

SessionID Cookie

Validator API

Page 27: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 28: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Time Periods

Key

HMAC

Page 29: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

TOTPTime PeriodsKeyHMAC

Page 30: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

ÇKeyHMAC TOTP

Page 31: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request Validator API

TOTP

Page 32: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request Validator API

TOTP

Page 33: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

TOTP

Page 34: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

Page 35: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Domain Cookie Solution

Time based One Time Password

JSON Web Token

Page 36: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Header

Key

HMACPayload

Page 37: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

SignatureKeyPayloadHeaderSignatureHMAC

Page 38: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

KeyPayloadHeaderHMAC Signature

Page 39: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request Validator API

JWT

Page 40: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request Validator API

JWT

Page 41: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

JWT

Page 42: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Request

Validator API

Page 43: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Application Fingerprint

Page 44: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

JWT with

Signature Service

Page 45: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 46: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 47: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC Hash

Page 48: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Encrypting JWT with

Encryption Service

Page 49: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

TS

String

TS

115GHI

115DEF

115ABC

Key

10

20

30

HMAC

Page 50: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMAC

Page 51: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

115GHIString

TS TS

115DEF

115ABC

Key

10

20

30

HMACEncrypted

or Decrypted String

Page 52: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 53: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 54: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 55: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 56: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Client ManagerValidator

Signature ServiceEncryption Service

Key Store

Page 57: REST API Security - O'Reilly · 2020. 7. 13. · JWT . Request Validator API. Application Fingerprint. JWT with Signature Service. TS String TS 115GHI 115DEF 115ABC Key 10 20 30 HMAC

Q & A


JWT for auth and more - Блог компанії InterLink...JWT Registered Claims (payload properties) iss (issuer): Issuer of the JWT sub (subject): Subject of the JWT (the user)

Practical Approaches for Testing and Breaking JWT ... COMMSEC... · •Always verify the JWT Header. •Always verify the JWT “alg” key in the JWT header. •Never trust the “none”

Java Workflow Tooling (JWT) Release review: JWT v0.6 – …archive.eclipse.org/projects/www/project-slides/Galileo/... ·  · 2009-06-09Java Workflow Tooling (JWT) Release review:

20090508 jwt+imf

JWT Russia Credentials

JWT - February 2015

An obesity care patient follow-up system on Smile CDR · REST API med JWT. vj. Patient. vj. Practitioner. IP restrictions. Smile CDR. FHIR API. REST API med JWT. Signicat / BankID

Apresentação para JWT

Use JWT access-token on Grails REST API

JWT Personality Atlas

Jwt Presentation

JWT Kitkat presentation

JWT Planning Guide

JWT Security Issues

Java Workflow Tooling (JWT) Release review: JWT v0wiki.eclipse.org/images/1/12/JWT_Release_Review_0_7.… ·  · 2009-12-21Java Workflow Tooling (JWT) Release review: JWT v0.7 ©

A Study on a JWT-Based User Authentication and API ...€¦ · A Study on a JWT-Based User Authentication and API Assessment Scheme Using IMEI in a ... of the Internet of Things (IoT),

JWT Copy Test

JWT Ukraine Credentials

JWT Ukraine Analytics

JWT Translation #technight

Jwt generation z

20090508 jwt+trta

o EHL - SIGNA · ~SR CPL NSR JCP BRC BRC BRC BRC MB5 NSR JWT CHN NRS NRS MBS JWT MBS MBS JWT MBS HSC ALN JCP NSR JWT RTC JWT NSR JWT RTC JWT MBS RTC NSR NSR GLV JPR 11)£ I F. G."'rEXAPOGON,

Jwt anxiety index_uk_aug2011

JWT - CV DangTheKyLam

JWT! JWT! Let it all out!

Operación JWT

JWT april 2013

HOBLink JWT 4.1 Administration Guide - ftp.hob.de - / JWT Plugins/HOBLink... · 2016-04-04 · HOBLink JWT extends and supplements this architecture with central administration,

JWT (Radamés Aragón)

API referencepublic.picturesafe.cloud/picturesafe-search/1.0.1/API-Reference.pdfThe REST API uses JSON Web Tokens (JWT) for authorization. You have to provide a valid JWT in the authorization

SIGNA: Species IrisGroupofNorthAmerica 29th Species · PDF fileDMR MIL CRG JWT JHW EHL JPN JWT JWT JWT 95J047 95J048 95J049 95J050 95J051 95J052 95J053 95J054 95J055 95J056 95J057

jwt presnetation

inspecco-20200707112917...2020/05/03  · API 1104, API 650, API 5L, TS EN ISO 5817, TS EN ISO 3452, EN ISO 23277, TS EN 10228-2, TS EN 1371-2, ISO 108934, AWS 01.1, AWS D.1.5, AD

Jwt melb campaign_b_aoty2013