Intro to API Authentication Types Oauth, token HTTP Basic

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Matt DiNapoli I work for Deb net in the definite zone welcome to intro to API security we've been doing a lot of or we've done a lot of classes for in with regards to API and for about a year and a half or so we didn't have one that talked about actually accessing the API we just showed people how to use them and just assume that they would figure out the what I would argue is the hardest part of that so I took it upon myself and I said hey we need to get people this data so they at least understand what they're up against and how to how to figure out how to access these API that we talk so joyously about so that's what we're going to cover here today so that was my introduction so we did that already we have authentication versus authorizations there's a very distinct difference and I will tell you what that is stay tuned and then I'm going to get into different types of authentication or authorization depending on what you're talking about well we'll cover what's called basic that one's pretty easy the flex basic and then we have token authentication also very easy and then we get into OAuth which is quite secure well there are some problems to it but it's secure more secure than basic and token but it is a little bit of a challenge to get to work because and you'll see why so API security alright and afraid of no data breach maybe API czar access to data that's what they are in a nutshell if you guys came to my 101 class this morning we saw a bunch of API calls where I got a bunch of data back most of the data that we asked for was public information that's all fine and good whenever I was making the calls to spark though I was dealing with one particular user now you can imagine a scenario where someone might be able to benefit from getting access to some one spark accounts whether that be fine messages that could be incriminating or find out if you're using spark to talk about um sensitive data that might be useful to someone who has malice on their minds and so we need to make sure that those API is in it in addition to the applications are secure so that's a good reason the api's themselves create a lot of open and oates of potential openings for security breach it allows you to get data obviously it allows you to add and change data which could be potentially damaging and it also allows people to delete data through the API which could in some instances bring businesses crumbling down if you delete their data so we want to make sure those things are secure so that we won't run into these problems and api's use resources so sure you guys have heard of DDoS attacks y'all network engineers right so whenever an API call is made it's hitting the server it says it's taking up bandwidth and so if someone is consistently using an API I'm not getting shut out that could cause that service to go down if they'll if the loads too high so we want to make sure that that we're controlling that environment so that's why these particular security methods are in place I mentioned that we would have a discussion about authentication versus authorization so authentication is saying I am me right that is when you go into a service you log in it pulls your name back and pulls your email address it ties you to that login that's that's authentication authorization on the other hand is I'm allowed to do something so I work for Cisco when I log into Cisco system I'm allowed to do different things that you weren't Cisco employees or maybe you are but if you aren't you aren't allowed to do that's authorization and I can do that across multiple sites that are managed within Cisco and that then jumps into the next part which is Federation Federation says I'm authorized to do things here and if I'm going to another site or using a new API or something effect then I'm also trusted over here and that could be through passing a token that could be through cookie setting something to that effect so that's Federation and then Federation and delegation go together which is basically saying I logged into this service in I say I I could be a person or it could be an application in this instance we're talking about API so it's late most likely a system to system discussion the application is logged into a service and it's saying this service is saying I don't care what's going on over here if you're authorized to use this then you're authorized to do this so that's just delegating the the service one service to another so Federation and delegation go together all right can you read that comic or is that too far away I'm going to read it to you because I think it's funny it's email account set up to verify your identity we need to ask you a question nobody else could answer the question is where are the bodies buried and he starts the answer behind the and then he stops and he says behind the nice try and then the cops are on the other side saying huh you know oh we almost got him so the first method we're going to talk about is the basic authentication and authorization and I call it authentication and authorization because it does both those steps at the same time what it requires is that the application in question that's making the service call have a previous user ID set up on the service so that means that an administrator in some point has set up login credentials specifically for that application on that service there are potentially two ways to do it they both kind of go together the first thing is that the service or the application ask the service are tells the service I'm making the API request it could potentially come back and say I need a valid username and password and then the application sends it and if everything cool the service will send that information back that it's being asked for now it's called basic because it is a base64 encoded string that is comprised of the username : and then password and we'll see that example in a second or you can parcel it all together make the API call and send that basic authorization in the header that's that second part that we have at the bottom there pay service on making the API request here's my here my credentials all right cool we're all good create your data back so I'm gonna actually leverage I do a CMX talk like every day it feels like I'm gonna leverage our mobility services API to show you guys just real quickly how basic works so one second we're going to hop over to my postman client so for those of you uninitiated this is postman postman is sorry stop looking at that that's for later that was a peek into the behind the curtain the this is up a rest client allows us to test out api's without having to write code make sure that we're understanding the information that's coming back how to form the URLs what parameters the pass so in this instance I'm going to show you guys how basic authentication or basic authentication works so I want to call this API to get the map information back for a specific area that I've set up in cmx if you're not familiar with cmx it's the location services service provided our offering from Cisco basically tracking devices in a Wi-Fi space ok so you can imagine that I might need the map for some reason to be able to lay that out so that I can put these dots on a map and so the first thing I'm going to do is I'm going to make that API call to get the map the most important thing in doing this is that I want to do authorization because if I make the idea API call without any authorization we'll just run it up it didn't update my header that shouldn't be allowed well that's letting me without it let's try a different API call one second there I'm going to try to act of clients API API location v2 client oh that's let me do it too we have a bug in our system apparently you're able to call the api's without the authorization which is unfortunate but anyways had work you I would have gotten a 401 unauthorized they're saying I'm not allowed to make that API call we will see that when we look at the the second portion the token but anyways if this was working properly there might be something in the cache that I'm running into so we can try that out later but let's just assume that that that wasn't working actually actually look this is an invalid one let's see if it does it was okay there we go I think there was something in the cache there so this isn't a valid user on that on that service and so because I'm sending a basic auth string that is not configured in the authorization earth so this is the the authorization header we notice we have it's called basics and then this encoded string that's generated from the username and password that I put in in this space okay so that one doesn't work it tells me 401 error while authenticating which means that users not allowed now I know I'm an admin on that box so I know that there is a valid user where the username is learning and the password is learning make this a little smaller I lose all my buttons when I and I blow it up one second here there we go alright I've lost the ability to scroll in here so one sec I'm going to reload this the trials and tribulations of making the screen bigger so people can see okay cool okay let's try this again I do need to make it bigger because I know you guys can't see that I just don't want to make it too big so if I go to authorisation again I need to make sure that I'm setting that properly it doesn't automatically update in postman that's a common mistake people make I made it probably a thousand times you make sure you want to hit update request and then we see our header change to a different string value its encoding that for us we don't have to worry about doing that ourselves a lot of packages in different coding languages already have basic package in it so you usually don't have to worry about doing the encoding yourself it's a pretty wealth well understood standard something that you know everyone has used in the past so and it's old so now this works okay good that's what we expected hey okay any questions on that basic is basic for a reason it's pretty easy to understand so I've set up that user on that system to allow myself to do that now there's an extension to that that we call token tickets whatever you want to call it those are interchangeable terms we're going to look at the a pick a pick eeehm api's to demonstrate this particular method but basically you're sending in some manner depending on how the api is the fine username and password or some kind of credential that identifies either the person or the application as itself and again similar to the previous situation with basic that username and password is pre setup but there's an extra hand off so when you make that initial request you're asking for a token to come back and then any API call after that will be leveraging that token you're not going to send your credentials over over the wire anymore you're just going to send that token and there's a little bit added security because you can set up expiration on that token you can set rate limits on that token so it's a little more secure but it's not about that secure so we'll try that out with a pickie mapi so essentially the application makes the request and says hey here my credentials send me a token service comes back and says cool here's your token ticket whatever you want to call it back all right I'm going to start making API calls with it and then every time that service is going to validate that token until it until it expires so let's go back to postman and like I noted it doesn't really matter what API we use as long as it supports this method I know that this one in particular does it's our epic e/m API so the first thing I'm going to do is show you guys what happens when I don't have any authentication and I know this won't work because I set it up that way so it's telling me that the ticket is not recognized I'm like oh I didn't realize I needed to get a ticket what do I do so I look in the documentation and the documentation tells me that I need to set actually let's do it without a ticket the first way would be I don't know I needed a ticket I don't know how to authorize it tells me that it failed the bride to see a service ticket to validate so that's the first error I should see now I'm like okay I have a cert I think I have a service ticket I'm not sure how to generate it is this the right one no that one's not recognized it's invalid or you use it before announced expired so now I want to generate a new ticket and all I'm doing is making an API call to get a list of hosts from the API so what we need to do is let's see here let me make sure I get the right API call when I look in the documentation for a picking um and I could show you this but I want to get to OAuth and that's a little complicated I'm going to pop this open the documentation tells me that the API that I need to call is a techie m / API v1 ticket and that will give me a ticket but I need to do a post into it and then it also tells me that to do that I need to send in my credentials so that's that credential portion that we're going to send in to generate our ticket so if you look at the body it's already set up there I know that that user name Deb net user and the password just go into three bang is already set up in this service and should be valid in generated they ticket for me okay all pretty straightforward and makes sense right any questions if you have questions just raise your hand my colleague Paul will run over you with the microphone okay it's a mic guy so assuming they didn't delete my user in the last 45 minutes tweet I have a new ticket so from writing an application that first step that I'm going to do is create a call that API to create a ticket I'm going to parse out the the response and grab the my string ticket and I'm going to use that over and over and over again themselves tells me I'm not allowed to use it now we saw that we had this particular header called X auth token again the documentation I keep coming back to that the documentation is the thing that's telling us that I need to set that particular header I don't think X auth token is there might be a standard header I don't really care all I know is the documentation says to me for you to be able to make a valid API call and get the response back that's the header that you send and it's got to be a valid ticket so I have a valid ticket now that's great let's pop it in there and see what in the world of live demos you never know so we get a response back as expected cool great so we get our list of hosts their host max the connected network device ID awesome that's just what we expected cool now again if I had a typo in there or I didn't have a valid ticket should give me again that ticket not recognized so it's not good so cool and then oh the other thing about that again we see that 401 401 unauthorized air so for writing application I mentioned this in 101 you want to handle those status codes to hundreds okay it's always okay and then I just thought of a cool idea for a teacher to just say always 200 like I'm always okay so anyways 401 is unauthorized you're not allowed to do that and that's a standard code in HTTP responses so that took up about 18 minutes the rest stick with me a loss isn't as challenging as it seems have you guys heard of El offhand okay are you familiar with it or you just sit there and go I've heard of it I don't really know what goes on behind the scenes is that cool okay the behind the scenes stuff it's not as bad as it sounds but I'm going to leverage the Cisco spark because that's our product that leverages a lot that I know about and we'll we'll get into that so see here a quick discussion not off excuse me so this is the the one that's becoming the accepted standard it's not actually ratified as a standard but there is a very specific there are sets of instructions there is a RFC for it so it's it's getting to the point where it might be ratified there was an OAuth one day we don't really spend time on it because people are moving away from it it was actually a lot more secure than OAuth 2 or arguably secure the Noah to but the amount of work needed by application developers and service providers to support OAuth Londono apparently was challenging so they were trying to make it easier it actually has a number of different flavors to it that that allow for different ways to authorize users and notice I didn't say authenticate and I'll explain why it's not an authentication there's no Identity Management in OAuth that's left up to the provider and there's a part as part of the discussion of the standard is open ID connect or and that could potentially hold the authorization but it's not authentication excuse me that is not necessarily needed though to leverage oh aw - so it's a standardization of the token method kind of but inherent to it is that Federation and delegation that we talked about so with the CMS service if I if I have a user that's set up on that system they can only access the CMS service if I've user set up on a pecky M they can only access a pickie M yeah you might set them up on different platforms but you have to do that in two separate places those are two separate management systems that you have to worry about with oauth2 it allows for a scenario where you might not even know as a application consumer where that particular authentication is happening or authorization is happening so for example though our Learning Labs we're working on a process right now and I wish we would have gotten it done for Berlin but we didn't where we're implementing the ability to sign in with your Google critic Google credit credentials I got stuck in my throat your github credentials your Facebook credentials and your Twitter credentials and I think maybe even LinkedIn so we're looking at this because we have accounts everywhere and it sucks every time you have to create a new account just in our own properties you have a separate a separate login for spark than you do for Deb net than you do for troppo and so we sit there and we scratch our heads and go there's got to be a better way so if all of those services support OAuth 2 then we can say all right for example the Learning Labs I can allow someone with the cisco smart credential if I set it up this way to log into Learning Labs and then I don't need to worry about whether or not they have a in this instance we have them use cisco.com credentials so I can give people the opportunity to use any service that I deem respectable to authorize that person and that decision is made on the application side so we can see then that the delegation is happening in the Federation because then you can imagine if you are working on a scenario where you need to worry about single sign-on you set up a essentially a user broker service they log into that service and it kicks out to any any process that's tied into or any application that's tied into that service so there's there are federal federal no there are two lied mentioned there were different flavors of OAuth two there's two legged authorizations that's kind of like the token and the basic stuff that we saw before they put that in to make it easier in some instances where you don't have to worry about things the one that's used more often that you see is the three-legged authorization though that's when you log into something and then it asks if actually Google does this a lot it asks if you're allowed to authorize Google or authorize the service to use your Google credentials or if you log into something with Facebook it says do you authorize the service to use your Facebook credentials yes okay so the best intro to oauth2 that I've come across that and actually poached the entire fee of the next few slides from there is a digital ocean comm I shouldn't set up a WebEx I apologize so that if you want that link we can talk afterwards or you can snap a picture I'll step out of the way so you don't have my ugly mug in there but that's a good one and it if you kind of just get a taste of it for me and you want to read a little bit more about it that's it's very perfect takes about half hour to read maybe and really is that's that one's stuck with me so I'll let you take a picture real quick while I take a drink of water all right moving on so we're going to see as we walk through some of the diagrams of how off two can work different roles and this is I'm not kidding you this is the most confusing part of a walk too because they don't use terminology that I think is like I do I have to define this stuff but these are the terms that are used when talking about OAuth 2 in the specification so when it says resource owner that's the actual user that's used sitting at your laptop trying to access something the client on the other hand is the application that you're logging into the authorization server could be anything it could be that Facebook it could be Google it could be even the service that you're logging into it might have its own OAuth 2 server in there as well and then the resource server is the thing you're trying to access so those are our terms resource server makes sense for the other three I feel like they made unnecessarily complicated so here's the general flow you notice there's a lot more arrows than the other one we have the application that's the client could be your browser making an authorization request to the user that's when you get that screen that pops up that says is this application allowed to use your Facebook credentials resource owner you say yes puts in your name and password comes back that's an authorization grant you're saying this is okay then the application makes a request to the author's authorization server saying I've been given authorization to do this give me an access token here's your access token everything's cool and then the application then uses that access token over and over again and this could be so in this instance that we're talking about this would be API making API calls now take that access token and keep sending that over the resource server every time we make an API call so we see that it's more of a standard of a standardization of that token method the terms authorization the terms access token those are those are part of the specification and so you notice when we did the APM token method they called it a ticket that was a choice that's not really standardized and so if you go from one service to another you might run into those issues whereas this is a more of an accepted standard and then the resource server if every if that access token valid it'll send back that particular API response are there any questions on that No okay okay so how do we get that application to be allowed to use your Facebook credentials or your Twitter credentials you have to register that application with that service you have to say to Twitter I'm writing an application where I want people to be able to log in with their Twitter credentials and Twitter has to say okay where Facebook has to say okay so they do that client registration and then they're given a client ID and a secret those are standard terms as well client underscore ID client underscore speaker both of those are important because they are necessary to identify the client ID is used to identify the application and then the secret is used to keep everything secure because that's only provided once to an application provider and then anytime that it's needed again it has to be regenerated and so in any scenario where you're writing an application hopefully only have to set up once but if you've hard-coded it in your code which I would never recommend doing you would have to go in your code and update that again the reason it has to be regenerated and then authorization grant has four different types so the one we're going to see and the one that I've actually seen and trying to think if I've seen and I've seen to two of them is authorization code that's the one that's used the most implicit is used against trusted resources and then resource owner password and credentials that's kind of a way to get around it just being a little bit harder to do than a basic authentication and then I've never seen client credentials and I actually haven't researched it very much so I can't really speak to it I don't think it's really anything you guys have to worry about right now so the biggest one that we have to worry about is this operate authorization code flow so this is the one we're going to look at authorization code flow so this is you know we saw that basic flow but this is now the the specifics of it it's two R it's the derivative of that initial one so we have the user same person the resource owner it makes a call through the user agent in that instance since our web browser makes that authorization request the user says okay um you know here must username and password you're allowed to use these credentials to authorize me to use the service and the off server sends that code grant back and then requesting the ask access token everything gets validated and then the access token is sent back to the off server now there is becoming a standard for that access token validation because you're probably saying or how how does aa server know that that's valid is their standard for that technically no they're the the specification itself kind of leaves it open to interpretation so what is becoming more popular is what's called a JWT token and that stands for java web token so that's a it's a validation of the token itself to say to the authorization server this this is a valid token this user this application everything in it is valid it's usually an encrypted it's a token that includes some encryption of data in it and the authorization knows how to decrypt that on its side with some shared key and says per to potentially here's the username and password here's the email address of that user so it does actually potentially pass some of that authentication information in it depending on the API but it doesn't guarantee that that's going to be the case there might be a different validation method assigned on that side usually there's a timestamp with it because they keep those access tokens limited to a certain amount of time so the evaluation won't happen on that off server side but it's left up to the provider of the service on how they want to implement that although there are many packages and tools to do a standard method of processing what are called JWT tokens the implicit code flow this bypasses the the authorization grant or authorization code it basically takes the client ID that says all right I know that this is a valid application just let it through that's why it says it's implicit it's implicitly trusting that this application is allowed to access the service on behalf of this authorized user so we won't see that one spark does not support it so we're going to go back to lawsuit authorization code version but I just wanted to mention it for your edification so let's get into it hopefully everything will work I kind of panicked a little bit because right before my last session I was trying this out to make sure that everything was okay and something has changed which I've yet to identify but I kind of work around so the first thing that we want to look at is the documentation for spark well that's small one second let me make this bigger hold on so I'm heading over to developer that Cisco spark comm are there any questions by the way so far I think what you see it in action you'll be able to wrap your head around how it works I'm logged in as one of my test users and then in the documentation it tells me under in integrations how I should authenticate my application so I'm going to create an application it's going to be postman that will be able to make API calls then from it and so this this documentation tells me how to do that tells me how the URL should be formed to get my authorization code tells me what particular parameters I need to send it also tells me the Scopes that I might set for that particular one and it also will tell me what I need to do once I get my access token how do I then get my well how do I get my access token once I get my authorization code excuse me so that's all the cool info there so I've already registered an application so you don't have to watch me type let's load that up I don't know why but I named my test account Darla I don't know who Darla's I don't know any Darla so there are a couple of different ways you can create an integration to show the offset authorization method we'd have to do with integration Bossard given a specific access token that is assigned only to it so they don't actually go through the whole handshake methodology that I showed you before they're just given access through so we have the oh I don't want to do a new integration I already did one I'm going to click on Darla spark out at that load so we have the name pretty straightforward description what it does the support email all that fun stuff this is the most annoying part is setting up these particular applications there's an app icon required and you need it needs to be specifically a 512 by 512 icon and for some reason is it's not that easy so I keep coaching my friend Adrian's a texture of a cat so I use that now because I'm using I'm going to show you the API calls using postman postman is nice enough to give me the option of what the callback URL should be why okay let's here make this a little bigger so if I go into authorization and I drop this down it gives me we saw this before this is Luiz basic if we go to OAuth 2 and I go get new access token this is the part that doesn't work now which is very frustrating but I'm going to walk through the steps that this thing does but it says callback URL if you're going to set this is that if you're going to use this application to test that this is the callback URL so thanks a lot postman that's cool so we're going to set that as our callback URL confess the application that I'm integrating oops oh that's annoyed so that's why we have that there and then we have scopes and this is essentially what is your application asking to do and in this instance I'm just going to set it to being allowed to read a list of rooms and so that's fine we didn't want to put a whole list in there and we're going to save changes and it make any whenever you create that then it'll it'll generate a new it'll generate a new client ID for that particular app the client ID does not change ever it will cause problems if the client ID change the client secret however does and so I'm not going to regenerate it because I have all the demo stuff set up already but assume that I have a client secret and the nice thing is they built out the URL for us and said if you guys want to do the authorization code request here's the URL for it so let's grab that and I'm just going to call it from my browser now again I don't know why the the postman integration isn't working I haven't figured that out yet that's why I panicked but this works just as well and I can actually show you very directly how that is generated so this is similar to what you would see and I'll make this bigger similar to what you would see for if you were trying to log in with Facebook credentials if you're trying to log in with Twitter credentials you'd see this app is requesting this is the authorization grant process the list of titles in the room that you're in and you say I don't know what kms is is a underlying thing we'll just ignore it and so you can either say decline or accept and I'm going to say except now man that is small I'm going to pop this up and show you guys what happened here what I should have what I did miss because I'm already logged in as that user it didn't prompt me for my credentials and I apologize for that but imagine before we saw that accepted declined portion your viewer prompted for your credentials so I was already logged in I apologize for that one so if you're like he didn't log in how does it know that's why okay so we'll do that I'm going to show you guys this tried and notes to make notes bigger yeah so we're going to knock that out I just want to show you the API C or the URL so you can see that so what it did was it sent back to my callback URL a value called code and through the instructions I know that then I need to send that code into the access token URL to get my access token to make the API so now we've finished the first handshake part we're going to do the second handshake part so let me grab this all I want is that code thank you and now because of the documentation I know that I need to do a post to get my access token and I hopefully I did everything okay and we can actually see through this API call that I've gotten a token back so cheese one second something around in Windows and demos always a challenge alright let's try this again so what I want to do is we can look at the parameters that I need to set and I want to change this code to the one that I was just generated now through the documentation it tells me that I need to set that grant type of authorization under Stork score code it tells me that I need to put my client ID in and tells me that I need to put my client secret in and then the authorization code I was given and then the redirect URI is actually very important if it doesn't match exactly to the one that you did the original call with it will invalidate the request so I have everything set I think everything is good the only thing is oh the documentation also tells me I need to do a post to xww form URL encoded so it knows that the body of the post request is in the URL and not in some payload JSON payload that we're looking for so we hit Send hopefully we get an access token yes so now I have an access token I can make API calls this is then used to make a API call let's see here we want the room's call it was one that we that we allowed let's see here rooms so just to show you quickly if I were to put in a typo or something like that or a token that I hadn't generated I get a 401 unauthorized like we saw before with the other API calls but if I use the proper token that I've now gone through the handshake process of generating then we should see the lister in cinemas and that access token is tied to the user and it's that it's validated on the spark side on the spark self-service to that user so I know without sending any other information that I should only be sending information back for Darla and so that's how that works so we did all that anyone lost good ok that's excellent so that's everything and a few minutes to go any questions nope ok excellent so in theory you could leverage spark to the spark OAuth to authorize people for your applications if you wanted to what admin saying that I'd like to talk about so we have in the definite zone a bunch of different things to do work is these sessions Learning Lab they're all fun and cool at least in our opinions so we hope you think they're cool too but you get credit for doing them and we have a spark app or we have a spark up cisco has a spark app and we build a bot for it called Debbie and Debbie lets you play the game and basically it's hey I was here I did this I did that kind of stuff there are instructions on those stanchions and at the info booth if you guys want to get credit for that we're going out some fun stuff of hats socks like it's all that kind of fun gear so I just want to mention that other than that enjoy the rest of your day here thank you so much for your time [Applause]

Info

Channel: Cisco DevNet

Views: 28,296

Rating: undefined out of 5

Keywords: DevNet, CLEUR, APIs, Oauth, HTTP, Cisco, dev, developers, network engineers

Id: XpEyRVEOFuU

Channel Id: undefined

Length: 44min 43sec (2683 seconds)

Published: Wed Feb 22 2017