词条 | Web API security |
释义 |
Web API security entails authenticating programs or users who are invoking a web API. With ease of API integrations comes the difficult part of ensuring proper AUTHN (authentication) and AUTHZ (authorization). In a multitenant environment, proper security controls need to be put in place to only allow access on "need to have access basis" based on proper AUTHN and AUTHZ. Appropriate AUTHN schemes enable producers (API's or services) to properly identify consumers (clients or calling programs) and to evaluate their access level (authz). In other words, can a consumer invoke a particular method (business logic) based on credentials presented? "Interface design flaws are widespread, from the world of crypto processors through sundry embedded systems right through to antivirus software and the operating system itself."[1]Method of authentication and authorizationMost common methods for authentication and authorization include.
The above methods provide different level of security and ease of integration. Oftentimes, the easiest method of integration also offers weakest security model. Static stringsIn static strings method, the API caller or client embeds a string as a token in the request. This method is often referred as basic authentication. "From a security point of view, basic authentication is not very satisfactory. It means sending the user's password over the network in clear text for every single page accessed (unless a secure lower-level protocol, like SSL, is used to encrypt all transactions). Thus the user is very vulnerable to any packet sniffers on the net."[3] Dynamic tokensWhen an API is protected by a dynamic token, there is a time-based nonce inserted into the token. The token has a time to live (TTL) after which the client must acquire a new token. The API method has a time check algorithm, and if the token is expired, the request is forbidden. "An example of such token is JSON Web Token. The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing."[4] User-delegated tokenThis type of token is used in three-legged systems where an application needs to access an API on behalf of a user. Instead of revealing user id and password to the application, a user grants a token which encapsulates users permission for the application to invoke the API. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.[5] References1. ^{{Cite web|url = https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c18.pdf|title = API Attacks|date = |accessdate = |website = |publisher = |last = |first = }} 2. ^{{Cite web|title = OAuth 2.0 — OAuth|url = http://oauth.net/2/|website = oauth.net|accessdate = 2015-10-10}} 3. ^{{Cite web|title = A Guide to Web Authentication Alternatives: Part 2|url = http://unixpapa.com/auth/basic.html|website = unixpapa.com|accessdate = 2015-10-10}} 4. ^{{Cite web|title = JSON Web Token (JWT)|url = https://tools.ietf.org/html/rfc7519|website = tools.ietf.org|accessdate = 2015-10-10|first = Bradley|last = John|first2 = Sakimura|last2 = Nat|first3 = Jones|last3 = Michael}} 5. ^{{Cite web|title = The OAuth 2.0 Authorization Framework|url = https://tools.ietf.org/html/rfc6749|website = tools.ietf.org|accessdate = 2015-10-11|first = Dick |last = Hardt}} 1 : Transport Layer Security |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。