Security is the biggest API technology challenge seen today to be solved. Organizations today Understand the Need for REST API Security or any API Security for that matter.
Why is Security Important?
Api Security is one of the biggest challenge that everyone including IT organizations want to see solved. Solving Security related issues will lead to growth of APIs.
In case your API does not have an Authorization/Authentication mechanism, it might lead to misuse of your API, loading the servers and the API itself, making it less responsive to others.
Factors Not to Overlook
1. Protection of Data :
Data protection is one of the most important security concern. It is really very important to define access rights to different kinds of api methods (especially PUT and Delete methods).
Good level of authentication is needed to access these apis and these should also be logged for audit.
2. Protection against Attacks :
There are several kinds of attacks which can occur on APIs, to name a few
Injection Attacks :
Like the SQL injection and the XSS cross site scripting attack, where an attacker code which is malicious is injected or embedded to a non-secure applications or softwares.
In case of APIs untrusted data can be transferred to the APIs as a query or command and if this data is successfully injected as the input to the APIs can do a lot of damage or leak information.
You can handle this by adding input validations and constraints.
DoS Attack :
In Denial of Service attack, attackers pushed a load of messages to the server in this case the API servers.
With the aim to request the server multiple invalid requests making the API non-functional.
In case someone succeeds in making a DoS attack, it meants that who-so-ever was the consumer or user of those API services will not be able to access it anymore.
Exposing Senstive Data :
Senstive data may include information like user personal information, tokens, passwords, social security details, banking details like credit cards etc. This Sensitive data requires high security, for this sensitive data can be encrypted using many techniques like SSL certificates, TLS.
Authorized Access Only :
Authorization is one important factor to pay attention to. Missing on this part may lead to access to valuable or senstive information. It can make the service vulnerable to attackers or any user who is not suppose to have that extra peace of information for that matter. Proper access controls should be given to it’s users.
3. Anti-Farming :
Today, RESTful API’s most common use case is the online Booking industry, many Huge websites have a business model of consuming multiple multi-sector services like Hotel, airline ticketing, movie tickets, etc and taking advantage of APIs actually built by other individual companies in these sectors.
In cases like these if your APIs are not secured it does not have an auth mechanism, it may lead to miss-use of your APIs and also it can have performance issues or it can become non-responsive to other users.
Ways to Secure APIs 🙂
RESTful APIs are stateless, so the auth security must not depend on the session or cookie alone, these auth parameters should be validated on each and every request to the server most likely using the headers. There are multiple ways to secure RESTful APIs, we will put light into some of them below.
- Basic Auth
- API Keys
- OAuth
- JWT
1. Basic Authentication
Probably One of the simplest way to implement access controls in RESTful APIs. It does not require any cookies or sessions, it just passes auth credentials through the HTTP headers.
So it involves the Client sending userid and password seperated by a single colon encoded with Base64 all together in a string.
Example : userid “maverick” and password “pass123” seperated by single colon.
maverick:pass123
Authorization: Basic bWF2ZXJpY2s6cGFzczEyMw==
The basic auth is not very secure method of user authentication, the most serious flaw with basic auth is that you pass userid and password over the network in the header in the form of encoded string.
But Still if you are using this technique then it should be used with TLS or SSL (https)protocol in order to protect sensitive information.
2. API Keys
API keys are for projects or applications, authentication is for users. For Example, Google Cloud exposing API Keys to access it and identify the application.
While API keys identify the calling project, they don’t identify the calling user. For instance, if you have created an application that is calling an API, an API key can identify the application that is making the call, but not the identity of the person who is using the application.
You use API Keys when :
- You do want to block anonymous traffic. API keys identify an application’s traffic for the API producer.
- You want to control the number of calls made to your API.
- You want to identify usage patterns in your API’s traffic.
You cannot use API Keys for :
- Identifying individual users — API keys don’t identify users, they identify projects. Secure authorization.
- Identifying the creators of a project/application.
3. OAuth 2
The OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf. RFC 6794 .
OAuth gained popularity from usage by Google, Facebook, Microsoft and Twitter, who allow usage of their accounts to be shared with third-party applications or websites.
OAuth works over HTTPS and authorizes devices, APIs, applications and servers with access tokens rather than credentials.
OAuth 2.0 can be used to read data of a user from another application without compromising the user’s personal and sensitive data, like user credentials. For Example user using Facebook OAuth login for logging into Quora. It also supplies the authorization workflow for web, desktop applications, and mobile devices.
To simplify, you can thing it as a hotel key card. If you have that key card, you can get access to you room and other resources. But how do you get a Key card? You will have to do an authentication of your identity and booking at the front desk reception. After they authenticate you and give you the key card, you get access to other resources of the hotel as well.
OAuth Tokens :
The OAuth uses tokens, to authorize user. Access Tokens and the refresh tokens.
Access Tokens :
Are the tokens used by the client to access the resource API, they have an expiry. This is not something used by sercret clients but are available with public clients.
Refresh Tokens :
These tokens can live much longer like in days,months,years. This token is used to get new access tokens. To get a Refresh tokens applications typically need secret clients with authentication.
Access token can also be put in the authorization header, eg:
Authorization: Bearer 0123456789abcxyz
4. JWT – Json Web Token
What is JSON Web Token, or JWT (pronounced as “jot”)? It is one of the Token authentication standard. It allows you to digitally sign information(called as claims) with a signature which can be verified later with a secret signing key.
JWT can store any type of data, which like OAuth access tokens should be passed in the authorization header.
Authorization: Bearer JWT
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik1hdmVyaWNrIiwiaWF0IjoxNTE2MjM5MDIyf.
qkBSwSUiWDRyLlG4STgn1w0VIAbA1qEtqSBZ2g8Kgc4
Anatomy of JWT
A JWT token looks like this
<Header in Red>.<Payload in blue>.<Signature in green>Header Section
Json Structure whihch consists of the algorithm type and the type of token, for example here algo is of type HS256 and type of token as JWT.
{
"alg": "HS256",
"typ": "JWT"
}Then this JSON is Base64 Encoded and it looks something like this
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
The second part of the JWT token is the payload, which has the user data which used intend to pass and other information related to the token.
{
"sub": "1234567890",
"name": "Maverick",
"iat": 1516239022
}sub : is the Subject
name : name of the user
iat : Issued At is dateTime in number format
Then this payload JSON is Base64 Encoded and it looks something like this
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik1hdmVyaWNrIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature
The signature in JWT is part of token which is used to verify the user/sender of the JWT is who they claim they are.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
your-256-bit-secret
) Signature is a combination of [ Base64 encoded header + base64 encoded payload and the secret ] using the algorithm specified HMACSHA256.
qkBSwSUiWDRyLlG4STgn1w0VIAbA1qEtqSBZ2g8Kgc4
And the complete encoded JWT token with the signature and the secret will look something like this
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik1hdmVyaWNrIiwiaWF0IjoxNTE2MjM5MDIyfQ.qkBSwSUiWDRyLlG4STgn1w0VIAbA1qEtqSBZ2g8Kgc4
Try it out : Create your own JWT token here – https://jwt.io/
How JWT works ?
How Secure is JWT ?
Remember not to put sensitive information in it for example password, id’s, SSN, etc.
What if someone Steals my JWT ?
So you have to be careful about it, how you pass your JWT, it should pass through HTTPS protocol and it should be in conjunction with other established authentication mechanisms like the OAuth, etc.
JWT Use case
These days JWT being very common can be used for authentication, in Single sign on, Subsequent API request authorization.
Summary
In this article, we looked into one of the most challenging part in APIs, the REST API Security. We looked into some of the important factors which makes the API security even more important to understand.
Then we looked into various ways to secure REST APIs. To name a few methods like Basic Authentication, API keys, OAuth2, JWT.
I hope you liked this article ! Please leave your comments below.
Related posts
