I am a strong technologist with an eye toward enabling strategic change. I enjoy helping to define business solutions and optimize the technology stack to meet business needs. I enjoy new challenges and have a natural curiosity to learn new things.I appreciate working with a wide range of individuals from business leaders to system engineers and developers to create and inspire a shared vision. Working toward any shared vision generally involves problems along the way, either with the vision or with current solutions and processes. I love troubleshooting an issue as much as anyone.View the profile
About the talk
API Security isn’t easy. Should I use OAuth? OpenID Connect? JWT? SAML? Opaque tokens? Signatures? HMAC? Should authentication and authorization be different for “external” versus “internal” APIs? What are the different schemes I should consider when allowing access to my APIs and how do I choose? Beyond designed-in API Security, what should I be thinking about for run-time monitoring?
This session explores different options, standards, and tools for securing your APIs and how you can apply them in your enterprise.
Speakers: Dino Chiesa, Greg Kuelgen
Google Cloud Next ’20: OnAir → https://goo.gle/next2020
Subscribe to the GCP Channel → https://goo.gle/GCP
product: Apigee; fullname: Dino Chiesa, Greg Kuelgen;
event: Google Cloud Next 2020; re_ty: Publish;
My name is Craig Coogan and I'm an architect with apogee at Google. Hi, I'm Dino chiesa. I'm a colleague of Greg's on the opportunity. My Google Cloud. I'm very excited to be here today. Talk to you about some means of securing your audience, the data requirement to you later. 2 qt is not static. What works today, may need to adopt tomorrow Who's like she can help manage the security. Do you know what? I frequently talk to customers about security over the past few years. The number of attacks that we see. and the number of conversations, we have a security been steadily, increasing
Securing access. This is generally what I believe most of us, think about what we think. A security making sure that we have authentication and authorization Place something and the receiver checks to see if I access to be granted. And basically all cases last secure the connection also known as what So let's talk about a few means of, actually securing your access is a very common station called on to this authorization Flow app login. What do I tell us another means of securing the client identifies, the server with the server with a connection to
server. PS4 clients can be difficult to manage a program. For example, maybe using A bank's actual certificate. Like, I already mentioned it, she is really used for its Simplicity. Highly recommend requirements assistant pastor the client ID and a secret system where the consumer authorizes. Use for to make a lot of sense when you're using a service that can manage all of that for you. What are the things in common with all of these matters is that they identified. The calling client also identify the client
is using these different mechanism Well, the API key is a good basic building block. That's appropriate when doing signing or I'll talk more about that later. What is pretty common as you said? Most API gateways will just support it. It's a really good idea to devices. Do you control not so easy for Consumer mobile devices or what about Jason Webb tokens for jots? Can I use an access key is just a special kind of token, no information is inherent within that string beans,
with only the authorization server. The issue resolved that token into a set of claims or entitlements and contrast any system can be in assigned. JWT so yes, and it may be more flexible and preferred some cases. When do you use each as always? It depends. That's a larger conversation. Spoken like a true architect. It depends. I've use that phrase many times myself. Securing your customer that was dealing with consumer. Credit information, if you eat a lot, of course,
they actually give them an extra layer of Security. Even if someone still need to sign, High-level security and encryption. Another pediatrician basically using a secret message. How does an altar? And it's actually been sent by the intended Center. Signatures don't provide any privacy for the message though. Hmac is also used by Cloud providers. For example, in gcp, you can create a sign URL You looking to meet you so you are protecting us things like that. She left over ability that would allow an attacker to be dating flight. Also be useful to limit
who is able to see data. Generally speaking, this is only a question. Sure you're a few first. Keep it simple signing or encryption necessarily means more work for client developers and more complexity take care to apply second application layer signing or encryption helps protecting information across multiple cops. Select The Shining approach. That fits your team at RSA whichever they are most comfortable with. And don't forget Jaden in all replaces, you're going to need to think about T-man
last included, timestamp JWT will help you with this. If you use H McCarron, say you will have to come up with your own. Great. Thanks. Tina. Turn conversations, even with other security measures in place. Sometimes it's a corporate accounts to try to mimic human users and gain access to the same patterns of modern technology advanced features to help identify and prevent this type of attack. There's a few things to look at risk during conversations. What are the
several times a second? No way to text. Ian is also being update with customers that I support. As we talk about somebody understands what a normal traffic looks like and can alert when things like they are right outside of normal actually. Configuring a specific Alert security as an indicator that a bad actor is bypassing other security. Also works great ruler, operational issues and I've had more than one customer that has told me has helped them. Detecting air alert, the target service that was having the issue and fix it all before. You also see recapture
good question. So in the original version of recaptcha a webpage presented, The Familiar, are you a robot challenge? Google released version 3, 2018 device and endpoint that means both web pages and it needs to connect to server to get a token that client uses that token and its request for maybe I took. The API server and then validate the recaptcha token before granting service and we can issue an opinion about that client. Is it a robot or is it not? Using recapture this way. Recaptcha acts as a gatekeeper or bouncer for your front door, it just mean
introducing a new external dependency in your system, but you may want to accept that to get the additional level of security. Thank you. When do you use? What? He tried to access token, pretty much always going to be in place. There's some exception for to the public info, but even then, you may want to buy some level of access control, signatures can be useful when you need to verify or like a sign or even if the wires a compromise to contact, still secure to ensure that messages are secure.
We recommend at least protect your login Orchestra inside of a p. Information driven companies will have tens or hundreds of services that they use to run their business. Some of them, custom-built, maybe in Java GoLine, c-sharp python may be running a VM or a kubernetes. Some of these Services might be third-party SAS. There are many different implementation options apogee can help manage all of them to do that. We rely on an apogee proxy, that intercedes between clients of the service and the service, this allows us to standardize on the access message and
products. This is just an instance. I also have it running in Google app engine. So let's try to invoke it. There was a different URL, I'll send the same request and you can see I'm getting a 401 unauthorized service is locked down to enforce API management. We must ensure that the service is accessible only through the API Gateway. We can do that with to atos firewall configuration with IP restrictions or via some other mechanism. Applebee's in acts as the enforcement point for clients, no client can reach the service except through
the apogee pricey. So let me show you a proxy that stands in front of this particular service to here. We see the target of the proxy, and this is the Ingress. And point for the API proxy, the prophecy itself is just a pass-through, it perceives the request and then proxies to the Upstream silly, turn on tracing, and then we'll flip back and will invoke not the Google app engine in point. But the proxy endpoint in a pudgy, you can see I'm sending that same request and it's actually connecting to that app engine instance, which
because its apogee, it's allowing it through and you can see I've got a tray statement here, I'm the request is received and then it's proxy to the Upstream Target. The really nice except apogee is merely acting as a pass-through, we want the proxy to do more. So, in order to illustrate that let's stop the trees will deploy version 12 of this proxy which includes a verify access token policy. So now we're going to start doing oh off enforcement in the proxy again.
Let me turn on a trace and then I'm going to run that same request and you should see a pudgy saying, hey unauthorised, you did not pass a token. So not going to let you in. How can we get a token apogee also acts as a token dispensary and I have another proxy for that. This is an apogee. A lot of proxy that generates tokens for the client, credentials Grant type. So I'm going to turn on trace for that. And now will request a token using client credentials. That's a different API
request and you can see I'm sending that into apogee and yep I've got an access token coming back so that's really good in the trace you can see apogee handle that request, it verified the client credentials and then generated a token which is now good for 30 minutes. We now have the token. Let's invoke the service again. I will switch back to the other proxy when book the service again, passing that invalid token. And now, you can see a pudgy is receiving. The request includes the valid token and I'm getting the product inventory information. So that's just what
we want. What if I use an expired access token, something that's out of date. Also, want to check that out. Want to make sure that access tokens get rejected when they are expired and sure enough after you sending back. Hey, that's soaking his old that's expired. Doing exactly what we wanted to do. Let's try and update. For for this part of the demonstration, I have a payload. I want to send a post in the payload looks like that and I configured the apogee proxy in here to check the hmac on that payload
to prevent replays in to ensure greater message, security of something. We talked about a little bit earlier, so let's try to send that in. Send in a post with that update. What? That payload as an update and you can see apogee ascending hate. You need to send an hmac for that request, which is again what we want. Let's try sending in that request with an invalid. Hmac the wrong hmac for this payload and you can see now apogee is saying, well, you sent in an H Mac, but it was the wrong HP. That each month did
not succeed. And here's the one where we didn't including hmac, here's a pudgy handling, the request where we did send an HVAC, but it was the wrong one. This is the actual correct. Hmac valued at apogee is expecting for this given payload. This is the value that I sent to let's send the correct value. Hmac equals that value and will send that same request again. With the correct value. And now apogee said, yep, that's good that post we've validated it. Apogee is validated the hmac past and then it proxies
to the Upstream. The option system did not have to concern itself with tokens or H. Max apogee is doing all that work for you, so I didn't show it here. But remember, you want to include time stamps in your age, Max to prevent replays. In the prior examples, the client used a client credentials, Grant type passing in the client ID and secret in the basic got header in order to get a token. How about using a JWT as an alternative instead of passing a client ID and secret, the token endpoint in a pudgy can require that the client
signs, the request for token, Using a cheap air provision just for this client and we can use as the signing mechanism. JWT that standard. So how we do that first? Get a g w t And I'll use this webpage to generate a signed JWT using the private key that is associated to this client. Let me grab that JWT and we'll set that as a shell variable. I want to open up the the JWT token dispensary. I'm going to turn on tracing there. And then we're going to send in a request for a token that passes that JW t.
So here's a new request for token passing in the JW. See that I just sent here's the grant type, it's at JWT bear Grant type and now I've got an opaque access token exchange for that signed assertion from the client and that will work just like a token issued with client credentials, Grant type. So that's going to work just as expected. What if we use a j wtid token to get as an exchange for an bear token to hear. This is a page that allows me to sign in using Google sign-in which is just an open ID, connect provider. And what that means is it
will issue an ID token to an app that allows a person to sign in. I've got a JW tea from Google, that's much bigger. It's got a lot more claims in it. You can see some of the claims here are decoded, the email address name a URL for my picture and so on. What if we use that to try to get a token? We we can do that here with a new different API proxy so this one rather than verifying self-signed to Jada BT from a client. It's going to verify that this is a
token issued by Google sign-in. You can use any open ID, connect provider, aqsa off zero as your Google sign in there, lots of other options. But any of them will have that seem kind of approach with the JW KS and point. So let me try now a painting, a token With with that jwtv, use a different endpoint, and sure enough. I'm getting now and access token in exchange for an ID token. That's a really nice capability in a pudgy and you can see the flow in a pudgy
allowing that verifying that request and issuing the token back and again that token will work just like any other token is to buy a pudgy. How about something? A little different? What if we want a pudgy to accept a JWT directly? So I've got a different API proxy on point for that. This one, accepts a JWT. And it just verifies that JWT again, this will be an ID token issued by Google, will turn on tracing for that API proxy. And invoke. You can see the API
proxy is now accepting the JWT as an input token and it's verifying that directly so no opaque token rather. It's the full ID token issue by Google sign in and it said you can use any open ID connect provider to allow that to happen. Last thing I want to show is what about if we want to protect the token dispensary and point with recaptcha and I've got another API proxy here that does that. So again this is a client credentials, token dispensary in apogee, but it protects
verify that we captured token. It does that here before issuing a client credentials, grant grant type token. So let's see this all work. I've got the pay running that and I'll just click this button. It's obtaining the token from recaptcha sending that along with the client credentials Grant into apogee. And you can see that apogee received that request and verified the token. Google replied with a response after that token, giving it a score of 0.9 which is sufficient. So the proxy
issues the token as it did in all those other cases. And that's it. I hope that gives you a good idea of some of the things that you can do with Apple G4, access security, message, security and conversation security. Okay, those demonstrations. I hope you an idea of some of the possibilities. The offers for securing your apis, securing access, securing the messages themselves and monitoring and securing patterns. Awesome. Thanks Tina. Great demo. Today we learn about different ways you can secure access, most commonly using token. You can secure your
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.