Red Hat 3scale API Management - Security Overview
Red Hat 3scale API Management - Security Overview
Red Hat 3scale API Management - Security Overview
API SECURITY
Evolution of API Security
3
OAUTH 2.0
From 20,000 FT
4
OAUTH 2.0
Terminology
5
OAUTH 2.0
Grant / Flow Types
6
OPENID CONNECT
Overview
7
OPENID CONNECT
Layered Security Standards
8
OPENID CONNECT
Vs OAuth 2.0
OAuth 2.0 is an open standard for authorization. Confusingly, OAuth 2.0 is also
the basis for OpenID Connect. OAuth 2.0 provides secure delegated access,
meaning that an application, called a client, can take actions or access resources
on a resource server on the behalf of a user, without the user sharing their
credentials with the application.
9
OPENID CONNECT
ID Token
02-06-2019
10
JWT (“JOT”)
To The Rescue
11
RED HAT 3SCALE API MANAGEMENT
System Architecture
Developer Apps
Config / Authorize
API Manager
API Gateway Policy Management
Policy
Enforcement
Mobile Apps
Identity Provider
(IdP)
12
RED HAT 3SCALE API MANAGEMENT
Gateway Operations
public key
13
AUTHORIZATION CODE FLOW
COMPLETE EXCHANGE
AUTHORIZATION CODE FLOW
An Orientation
Application
Browser Resource
Client
Server
API
Service
Gateway
Authorization
Server
15
AUTHORIZATION CODE FLOW
#0 - 3scale API Gateway Gets RH SSO Public Key On Configuration Load
Application
Browser GET
/auth/realms/{realm}
API
Service
Gateway
16
AUTHORIZATION CODE FLOW
#1 - User Starts Using The Web App
Application
Browser
API
Service
Gateway
17
AUTHORIZATION CODE FLOW
#2 - The Application Introduces RH SSO
Application
GET
Browser
/auth/realms/{realm}/protocol/
openid-connect/auth
API
Service
Gateway
18
AUTHORIZATION CODE FLOW
#3 - RH SSO Forwards To Login Form
Application
Browser
API
Service
Gateway
19
AUTHORIZATION CODE FLOW
#4 - The User Logs Into RH SSO
Application
Browser
API
Service
Gateway
20
AUTHORIZATION CODE FLOW
#5 - RH SSO Forwards To Consent Page
Consent
User Screen Identity Provider API Management
API
RH SSO Manager
Application
Browser
API
Service
Gateway
21
AUTHORIZATION CODE FLOW
#6 - The User Consents
Application
Browser
API
Service
Gateway
22
AUTHORIZATION CODE FLOW
#7 - RH SSO Redirects To Application And Sends An Auth Code
Application
API
Service
Gateway
23
AUTHORIZATION CODE FLOW
#7.1 - The Temp Auth Code
● Is used to acquire an
access code.
● Think of this as being a
cloakroom ticket - this
can be used once only to
acquire a bearer token.
24
AUTHORIZATION CODE FLOW
#8 - The Web App Calls The Token Endpoint
Application
Browser POST
/auth/realms/{realm}/protocol/openid-connect/token
API
Service
Gateway
25
AUTHORIZATION CODE FLOW
#9 - RH SSO Sends A Valid Bearer Token
Application
API
Service
Gateway
26
AUTHORIZATION CODE FLOW
#9.1 - The Bearer Token
"A security token with the property that any party in possession of the token (a
"bearer") can use the token in any way that any other party in possession of it
can"
27
AUTHORIZATION CODE FLOW
#9.2 - The Bearer Token
Authorization: Bearer
QXV0aG9yaXphdGlvbjogQmVhcmVyIA0Kew0KICJqdGkiOiAiYmNiMTFmNDktZTZhZS00NGNhLWIwNzctMzc5MjU5NGYw
ZDk4IiwNCiAiZXhwIjogMTQ5NTI3MjczOSwNCiAibmJmIjogMCwNCiAiaWF0IjogMTQ5NDMyMjMzOSwNCiAiaXNzIjog
Imh0dHA6Ly8wOTY2ZWExZi5uZ3Jvay5pby9hdXRoL3JlYWxtcy9mb3VybWFya3MiLA0KICJhdWQiOiAiNGQ2NTI0MDYi
LA0KICJzdWIiOiAiZDIwZGM0MTUtNzUyZi00YTc5LWEzYTgtNTJlOTVlYTZkZWM2IiwNCiAidHlwIjogIkJlYXJlciIs
DQogImF6cCI6ICI0ZDY1MjQwNiIsDQogInNlc3Npb25fc3RhdGUiOiAiNTVhODQzMjktY2Y2ZC00YjliLWJhOGYtYWJh
MDM3NjRjMjFjIiwNCiAiY2xpZW50X3Nlc3Npb24iOiAiYmYxYTA3MzktYTM5Yy00NTE1LTljMDAtNzhlMTgyNmI4ZDM2
IiwNCiAiYWxsb3dlZC1vcmlnaW5zIjogWw0KICAiaHR0cHM6Ly93d3cuZ2V0cG9zdG1hbi5jb20iDQogXSwNCiAicmVh
bG1fYWNjZXNzIjogew0KICAicm9sZXMiOiBbDQogICAiYWNjZXNzX215X3Jlc291cmNlIg0KICBdDQogfSwNCiAicmVz
b3VyY2VfYWNjZXNzIjogew0KICAiYWNjb3VudCI6IHsNCiAgICJyb2xlcyI6IFsNCiAgICAibWFuYWdlLWFjY291bnQi
LA0KICAgICJ2aWV3LXByb2ZpbGUiDQogICBdDQogIH0NCiB9LA0KICJuYW1lIjogInRlc3QgdXNlciIsDQogInByZWZl
cnJlZF91c2VybmFtZSI6ICJ0ZXN0dXNlciIsDQogImdpdmVuX25hbWUiOiAidGVzdCIsDQogImZhbWlseV9uYW1lIjog
InVzZXIiLA0KICJlbWFpbCI6ICJ0ZXN0QGJsYWguY29tIg0KfQ0K
Accept: */*
Postman-Token: 86b86d4a-8369-40af-8612-9f0d3589fdfb
Cf-Ray: 35c3a94bb1ac35ae-LHR
X-3Scale-Proxy-Secret-Token: Shared_secret_sent_from_proxy_to_API_backend_169ad455fe40801e
28
AUTHORIZATION CODE FLOW
#9.3 - The Bearer Token
Authorization: Bearer
{
"jti": "bcb11f49-e6ae-44ca-b077-3792594f0d98",
"exp": 1495272739,
"nbf": 0,
if you base64 decrypt you get: "iat": 1494322339,
"iss": "http://0966ea1f.ngrok.io/auth/realms/fourmarks",
"aud": "4d652406",
"sub": "d20dc415-752f-4a79-a3a8-52e95ea6dec6",
"typ": "Bearer",
"azp": "4d652406",
"session_state": "55a84329-cf6d-4b9b-ba8f-aba03764c21c",
notice the role information "client_session": "bf1a0739-a39c-4515-9c00-78e1826b8d36",
"allowed-origins": [
"https://www.getpostman.com"
29
AUTHORIZATION CODE FLOW
#9.4 - The Bearer Token
Server.
claims.
30
AUTHORIZATION CODE FLOW
#9.5 - Web App Submits The Access Token To Get User Info (Optional)
Application
Access
Browser GET
Token
/realms/{realm}/protocol/openid-connect/userinfo
API
Service
Gateway
31
AUTHORIZATION CODE FLOW
#9.6 - Web App Receives UserInfo
Application
Access
Browser
Token
API
Service
Gateway
32
AUTHORIZATION CODE FLOW
#10 - Web App Submits The Bearer Token
Application
Access
Browser
Token
API
Service
Gateway
gateway.com/api/catalog
Header: “Authentication: Bearer
{token}”
33
AUTHORIZATION CODE FLOW
#10.1 - Gateway Verifies Token
Application
Access
Browser
Token
API
Service
Gateway
Verify JWT
34
AUTHORIZATION CODE FLOW
#10.2 - Gateway Requests Auth To API Manager
Application
Access
Browser GET
Token
/transactions/authrep.xml
API
Service
Gateway
35
AUTHORIZATION CODE FLOW
#10.3 - API Manager Response “Authorized”
Application
Access
Browser HTTP 200 { authorized
Token
}
API
Service
Gateway
36
AUTHORIZATION CODE FLOW
#10.3 - Gateway Calls Backend API
Application
Access
Browser
Token
API
Service
Gateway
backend.com/buystuff
37
THANK YOU
plus.google.com/+RedHat facebook.com/redhatinc
linkedin.com/company/red-hat twitter.com/RedHatNews
youtube.com/user/
RedHatVideos