3. Gateway Pattern
• Decouple clients from the actual API implementation
• No point-to-point to connection
• Centralized security enforcing
• Centralized auditing & monitoring
• Version controlling
4. Six key attributes of a secured design
• Only legitimate users can access the system (authentication)
• The system won’t allow users to do anything more than what they
are supposed to do (authorization)
• Confidential data can only be seen by the intended recipients,
nobody else (confidentiality)
• Integrity of the transactions are protected (integrity)
• Protected for non-repudiation
• They system is available for legitimate users to access, all the time
(availability)
9. TLS Mutual Authentication
Gateway itself does the certificate validation
Fine-grained access validations can be done by the authorization server.
curl -k --cert client.pem https://localhost:8443/recipe
15. OAuth 2.0 Tokens
AccessTokens
Bearer tokens vs. Mac
TLS is a must
Pass the access token in the HTTP Authorization header
Authorization: Bearer <token>
Pass the access token in as a URL query parameter
Avoid this
Request Cache-Control: no-store
Response Cache-Control: private
E.g. https://www.googleapis.com/oauth2/v1/userinfo?access_token=ya29.1.
Shorter life-time – in minutes or hours
Do not store in cookies
Issue scoped tokens
16. OAuth 2.0 Tokens
RefreshTokens
Must useTLS
Long-lasting
No refresh tokens under
implicit grant type
client credentials grant type
SAML grant type
JWT grant type
17. Self-contained Access Tokens
JWT
RFC 7519
Encodes claims to be transmitted as a JSON object
Can be signed using JWS (JSON Web Signature)
Can be encrypted using JWE (JSON Web Encryption)
Represented as a sequence of URL-safe parts separated by period
('.') characters.
Each part contains a base64url-encoded value
Example
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
26. OAuth & XACML
A given access token has a scope associated with it and it governs the
access token’s capabilities
A user delegates access to his Facebook profile to a third party, under the
scope “user_activities”. This provides access to the user's list of activities as
the activities’ connection. To achieve fine-grained access control, this can
be represented in an XACML policy.
token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities