On my current project we are using OAuth 2.0 and OpenID Connect for securing our Web APIs. I have used OAuth in the past, but OpenID Connect was something new to me, so I decided to get a deeper understanding of these two protocols. In my search for a good book on the subject, I’ve found Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE by Prabath Siriwardena. As the title says, it’s about OAuth and OpenID Connect. But, while I was skimming the book I noticed that it’s about more than that, as it presents the evolution of different security protocols. The book looked promising so I decided to read it and I must say that I have gained a lot from it. It provides a good overview of the most important topics on API Security.
Structure
The book’s first chapter is pretty light. It starts with a definition of APIs, the difference between APIs and services and a couple of examples of accessing web APIs.
The second chapter takes it up a notch. It is a must read for all Web API developers since it touches on the many aspects of what security means. It’s a pretty small chapter (about 20 pages) but it’s packed with information. It’s a good starting point for getting to know the basics of API security as it covers:
- the challenges of securing APIs
- a high level overview of the 8 security design principles of Saltzer and Schroeder: least privilege, fail-safe default, economy of mechanism, complete mediation, open design, separation of privilege, least common mechanism and psychological acceptability
- the three most important security attributes – the CIA triad – Confidentiality, Integrity, and Availability
- the four most important security controls that help achieve CIA: authentication, authorization, non-repudiation and auditing
- security patterns: direct authentication, sealed green zone, least common mechanism, brokered authentication, and policy-based access control
- thread modelling – which is a powerful way of identifying your assets and possible threats and attacks and some examples of how to define a thread model in practice.
The next chapters start to go through the history of security protocols. First, the author presents HTTP Basic Authentication, HTTP Digest Authentication and TLS. Next, we get to Identity Delegation and the predecessors of OAuth – Google’s ClientLogin and AuthSub, Yahoo!’s BBAuth and Flickr’s Authentication API – and finally to OAuth 1.0.
Chapters 7 through 10 focus on the new standard for delegate authorization – OAuth 2.0. The author describes the OAuth 2.0 framework and shows examples of registering an OAuth client and requesting an access token with some of the most well known Authorization Servers: Facebook, Google, LinkedIn and Salesforce. Chapter 8 covers the MAC Token Profile (and how it compares with OAuth 1.0). Chapters 9 and 10 describe some of the OAuth 2.0 profiles that extend the core framework (some of them are still drafts).
Chapter 11 focuses on Federation and an older standard – SAML. Chapter 12 covers the emerging standard for federated authentication – OpenID Connect. In chapter 13 we take a closer look at JSON Web Token (JWT), JSON Web Signature (JWS) and JSON Web Encryption (JWE).
The book closes with ten of the most common enterprise security scenarios and the security patterns that fit each context. Again, this is a must read chapter for API developers, since it’s likely that your scenario fits in one of these patterns.
Biggest Takeaways
My initial goal for picking up this book was to get a more in depth understanding of OAuth 2.0 and OpenID Connect, and it did help me achieve this goal.
This being said, the biggest takeaway for me was the high level overview of what API Security means. Chapters 2 and 14 do a wonderful job at presenting the most well known security principles and the most used security design patterns. I will certainly come back to these chapters whenever I need to refresh this information.
Improvements
From my point of view, one (minor) improvement point is the amount of details in some of the examples. The author describes, step by step, the installation and configuration of the WSO2 Identity Server. This is information that probably won’t age well, since some of these steps will change in the future. Of course, this isn’t a real issue, as you can just skip these or skim over them.
Also, I can’t really say I understood all the XACML examples, but this might be due to my ignorance, since I haven’t heard about this standard before.
Conclusion
This is a good and well written book that I recommend. It starts with the basic concepts of API Security, then it goes through the evolution of Web API Security – from HTTP Basic Authentication to OAuth 2.0 and OpenID Connect – and it closes with the most common enterprise security patterns.
The theoretical part is backed up by many practical examples written in Java, using Apache Tomcat, WSO2 Identity Server and cURL. These examples showcase how to call some of the most well known APIs – Facebook, Google, Salesforce, etc. Even if you’re not a Java developer, the examples are accessible, since they focus on the interactions with the APIs.