rest api security
TRANSCRIPT
![Page 1: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/1.jpg)
REST API Security
Les Hazlewood @lhazlewood
PMC Chair, Apache Shiro
Expert Group Member, JEE Application Security (JSR-375)
Founder & CTO, Stormpath
![Page 2: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/2.jpg)
About Stormpath
• User Management API for Developers
• Password security
• Authentication and Authorization
• LDAP & Active Directory Cloud Sync
• Instant-on, scalable, and highly available
• Free for developers
![Page 3: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/3.jpg)
Overview
• HTTP Authentication
• HTTP Authentication Schemes Comparison
• API Key Authentication
• Token Authentication
• Authorization
![Page 4: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/4.jpg)
REST API Focus
• Eliminate server state
• Secure user credentials
• Secure server endpoints
• Expose access control rules
• SPAs and Mobile: ‘Untrusted Clients’
Learn more at Stormpath.com
![Page 5: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/5.jpg)
HTTP(S) Authentication & Authorization
Learn more at Stormpath.com
![Page 6: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/6.jpg)
Authentication
Proving you are who you say you are.
Learn more at Stormpath.com
![Page 7: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/7.jpg)
Authorization
Ensuring someone is allowed to do what they
are trying to do.
Learn more at Stormpath.com
![Page 8: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/8.jpg)
HTTP Authentication & Authorization
• Authorization header
• No Custom Headers!
• Stay spec-standard
• No pre-flight CORS requests (browsers) req’d
• Custom schemes easily supported
Learn more at Stormpath.com
![Page 9: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/9.jpg)
Authorization header
How does it work?
Learn more at Stormpath.com
![Page 10: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/10.jpg)
Authorization header
How does it work?
Challenge Response protocol
Learn more at Stormpath.com
![Page 11: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/11.jpg)
1. Request
GET /admin HTTP/1.1
Learn more at Stormpath.com
![Page 12: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/12.jpg)
2. Challenge
HTTP/1.1 401 Unauthorized
WWW-Authenticate: scheme-name <stuff>
*multiple schemes allowed, typically set as multiple WWW-Authenticate headers
Learn more at Stormpath.com
![Page 13: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/13.jpg)
3. Re-Request
GET /admin HTTP/1.1
Authorization: scheme-name <stuff>
Learn more at Stormpath.com
![Page 14: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/14.jpg)
Example: HTTP Basic Authentication
Learn more at Stormpath.com
![Page 15: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/15.jpg)
1. Request (Basic)
GET /admin HTTP/1.1
Learn more at Stormpath.com
![Page 16: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/16.jpg)
2. Challenge (Basic)
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=“MyApp”
Learn more at Stormpath.com
![Page 17: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/17.jpg)
3. Re-Request (Basic)
GET /admin HTTP/1.1
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Learn more at Stormpath.com
![Page 18: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/18.jpg)
Schemes
• Basic
• Digest Schemes (OAuth 1.0a)
• Bearer Token Schemes (OAuth2)
• Custom
Learn more at Stormpath.com
![Page 19: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/19.jpg)
HTTP Basic
Learn more at Stormpath.com
![Page 20: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/20.jpg)
HTTP Basic
String value = username + ‘:’ + raw_password
String schemeValue = base64_encode(value)
...
GET /admin HTTP/1.1
Authorization: Basic schemeValue
Learn more at Stormpath.com
![Page 21: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/21.jpg)
HTTP Basic
Pros:
• Very easy to use
• Supported by everything
Cons:
• Raw password always transmitted
• Easy to leak raw password if not careful (logging)
• Susceptible to Man-In-The-Middle attacks
• HTTPS *always* required
• Client must constantly retain/reference the raw password (server clients usually ok, browser clients not ok)
Learn more at Stormpath.com
![Page 22: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/22.jpg)
Digest Schemes
Learn more at Stormpath.com
![Page 23: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/23.jpg)
Digest Schemes: Client
request.headers[‘Client-Id’] = getMyId()
String digest = hmacSha256(request, password)
String val = ‘Foo ‘ + digest
request.headers[‘Authorization’] = val
send(request)
Learn more at Stormpath.com
![Page 24: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/24.jpg)
Digest Schemes: Server
String clientId = request.headers[‘Client-Id’]
byte[] password = lookupPassword(clientId);
String serverComputedDigest =
hmacSha256(request, password)
String val = request.headers[‘Authorization’]
String clientSpecifiedDigest = val.remove(‘Foo ‘)
if (clientSpecifiedDigest != serverComputedDigest) {
sendError(401, response)
return
}
//otherwise request is authenticated
Learn more at Stormpath.com
![Page 25: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/25.jpg)
Digest Schemes: OAuth 1.0a example
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22”,
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176”
Learn more at Stormpath.com
![Page 26: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/26.jpg)
Digest Schemes
Pros:
• Probably most secure
• Password never sent over the wire
• HTTPS not required (but your data may still require HTTPS)
• Can guarantee end-to-end HTTP message authenticity(HTTPS cannot do this)
• Not susceptible to Man-In-The-Middle attacks
Cons:
• Very difficult to design safely
• Difficult to understand and use
• Difficult to implement libraries
• Client still must retain a constant reference to the password(server clients usually ok, browser clients not ok)
Learn more at Stormpath.com
![Page 27: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/27.jpg)
Bearer Token Schemes
Learn more at Stormpath.com
![Page 28: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/28.jpg)
Bearer Token Schemes
Authorization: Bearer opaque-token
Learn more at Stormpath.com
![Page 29: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/29.jpg)
Bearer Token Schemes
• opaque-token can be whatever you want*
• *should always be cryptographically-signed
and expire
Learn more at Stormpath.com
![Page 30: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/30.jpg)
Bearer Token Schemes: OAuth 2 Example
Authorization: Bearer eyJ0eXAiOiJKV
1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3M
iOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzOD
AsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc
19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-
92K27uhbUJU1p1r_wW1gFWFOEjXk
Learn more at Stormpath.com
![Page 31: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/31.jpg)
Bearer Token Schemes
Pros:
• Easier to use than digest
• De-facto standard token format (JWT)
• Can contain state – no server sessions needed
• Does not require constant access to the user password
Cons:
• HTTPS always required, during and always after login (not a big deal nowadays)
• Cannot guarantee end-to-end HTTP message authenticity (like digest schemes can)
• Susceptible to Man-In-The-Middle attacks
• Token creation and renewal workflows can be very complicated and confusing depending on use case (OAuth2 confuses many people).
• When used for Browser or Mobile, additional security still required (Origin checks, CSRF-protection, etc)
• Token content is not standard – applications can open themselves to attack
Learn more at Stormpath.com
![Page 32: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/32.jpg)
Custom Scheme
Learn more at Stormpath.com
![Page 33: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/33.jpg)
Custom Scheme
• Only if you really, Really, REALLY know what
you’re doing.
Seriously.
No, rly. Srsly.
• Non-standard, so you essentially must
provide your own client libraries.
Learn more at Stormpath.com
![Page 34: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/34.jpg)
Custom Scheme
• Stormpath has a custom SAUTHC1 digest scheme
• Authenticates the entire HTTP Message, including the Body (OAuth 1.0a does not)
• Uses nonces to prevent replay attacks
• Uses key derivation algorithms and HMAC-SHA-256
• We use it for our own SDKs*
• If you’re curious:
https://github.com/stormpath
(search for ‘sauthc1’ in any stormpath-sdk-* project)
*Basic still supported for non-SDK clients or ‘weird’ environments
Learn more at Stormpath.com
![Page 35: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/35.jpg)
API Key Authentication
Learn more at Stormpath.com
![Page 36: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/36.jpg)
API Key Example
ID : YLNVXG091ZO1BSANZ5U6DCTIX
Secret:
ZediwUeDCNl13ldjaFKFQzz0eD13PO931DLAopdeywixaeUAhsip+92iaY
Learn more at Stormpath.com
![Page 37: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/37.jpg)
API Keys
• Entropy
• Password Independent
• Scope
• Speed
• Limited Exposure
• Traceability
Learn more at Stormpath.com
![Page 38: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/38.jpg)
API Keys
• Can be thought of as a really long username and password pair.
• Can be used with any HTTP Authentication Scheme that accepts a username and password: Basic, Digest, OAuth2, etc.
• Almost exclusively used for server-to-server communication.
• Never embed API Key secrets in untrusted clients like JavaScript or mobile applications.
Learn more at Stormpath.com
![Page 39: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/39.jpg)
HTTP Basic with API Key
String value = apiKeyId + ‘:’ + apiKeySecret
String schemeValue = base64_encode(value)
...
GET /admin HTTP/1.1
Authorization: Basic schemeValue
Learn more at Stormpath.com
![Page 40: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/40.jpg)
Token Authentication
Learn more at Stormpath.com
![Page 41: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/41.jpg)
Why not just use Session IDs?
Learn more at Stormpath.com
![Page 42: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/42.jpg)
Session ID Problems
• They’re opaque and have no meaning
themselves (they’re just ‘pointers’).
• Service-oriented architectures might need a
centralized ID de-referencing service
Learn more at Stormpath.com
![Page 43: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/43.jpg)
Session ID Problems
• Opaque IDs mean clients can’t inspect them
and find out what it is allowed to do or not - it
needs to make more requests for this
information.
• Susceptible to CSRF attacks
Learn more at Stormpath.com
![Page 44: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/44.jpg)
Session ID Problems
• Sessions = Server State!
• You need to store that state somewhere
• Session ID look up server state on *every
request*.
• Really not good for distributed/clustered apps
• Really not good for scale
Learn more at Stormpath.com
![Page 45: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/45.jpg)
Token Authentication to the rescue!
Learn more at Stormpath.com
![Page 46: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/46.jpg)
How do you get a Token?
Learn more at Stormpath.com
![Page 47: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/47.jpg)
Example: your SPA, your server
Learn more at Stormpath.com
![Page 48: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/48.jpg)
1. Token Request
POST /token HTTP/1.1
Origin: https://foo.com
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=username&password=
password
*Assert allowed origin for browser-based apps
Learn more at Stormpath.com
![Page 49: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/49.jpg)
2. Token Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
“token_type":"example",
“expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value”
}
Learn more at Stormpath.com
![Page 50: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/50.jpg)
3. Resource Request
GET /admin HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
Learn more at Stormpath.com
![Page 51: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/51.jpg)
Example: Token Request using an API Key
POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=apiKeyId&cli
ent_secret=apiKeySecret
*Assert allowed origin for browser-based apps
Learn more at Stormpath.com
![Page 52: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/52.jpg)
How does the server create a Token?
Learn more at Stormpath.com
![Page 53: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/53.jpg)
JSON Web Tokens (JWT)
• A URL-safe, compact, self-contained string with
meaningful information that is usually digitally
signed or encrypted.
• The string is ‘opaque’ and can be used as a
‘token’.
• Many OAuth2 implementations use JWTs as
OAuth2 Access Tokens.
Learn more at Stormpath.com
![Page 54: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/54.jpg)
JSON Web Tokens (JWT)
• You can store them in cookies! But all those
cookie security rules still apply (CSRF
protection, etc).
• You can entirely replace your session ID with
a JWT.
Learn more at Stormpath.com
![Page 55: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/55.jpg)
JSON Web Tokens (JWT)
In the wild they look like just another ugly string:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEjXk
Learn more at Stormpath.com
![Page 56: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/56.jpg)
JSON Web Tokens (JWT)
But they do have a three part structure. Each
part is a Base64-encoded string:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEjXk
Header
Body (‘Claims’)
Cryptographic Signature
Learn more at Stormpath.com
![Page 57: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/57.jpg)
JSON Web Tokens (JWT)
Base64-decode the parts to find the juicy bits:
{"typ":"JWT","alg":"HS256"
}
{"iss”:”http://trustyapp.com/”,"exp": 1300819380,“sub”: ”users/8983462”,“scope”: “self api/buy”
}
tß´—™à%O˜v+nî…SZu¯µ€U…8H×
Header
Body (‘Claims’)
Cryptographic Signature
Learn more at Stormpath.com
![Page 58: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/58.jpg)
JSON Web Tokens (JWT)
The claims body is the best part! It can tell:
{
"iss”:”http://trustyapp.com/”,
"exp": 1300819380,
“sub”: ”users/8983462”,
“scope”: “self api/buy”
}
Who issued the token
Learn more at Stormpath.com
![Page 59: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/59.jpg)
JSON Web Tokens (JWT)
The claims body is the best part! It can tell:
{
"iss”:”http://trustyapp.com/”,
"exp": 1300819380,
“sub”: ”users/8983462”,
“scope”: “self api/buy”
}
Who issued the token
When it expires
Learn more at Stormpath.com
![Page 60: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/60.jpg)
JSON Web Tokens (JWT)
The claims body is the best part! It can tell:
{
"iss”:”http://trustyapp.com/”,
"exp": 1300819380,
“sub”: ”users/8983462”,
“scope”: “self api/buy”
}
Who issued the token
When it expires
Who it represents
Learn more at Stormpath.com
![Page 61: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/61.jpg)
JSON Web Tokens (JWT)
The claims body is the best part! It can tell:
{
"iss”:”http://trustyapp.com/”,
"exp": 1300819380,
“sub”: ”users/8983462”,
“scope”: “self api/buy”
}
Who issued the token
When it expires
Who it represents
What they can do
Learn more at Stormpath.com
![Page 62: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/62.jpg)
JSON Web Tokens (JWT)
Great! Why is this useful?
• Implicitly trusted because it is cryptographically
signed (verified not tampered).
• It is structured, enabling inter-op between
services
• It can inform your client about basic access
control rules (permissions)*
• And the big one: statelessness!*servers must always enforce access control policies
Learn more at Stormpath.com
![Page 63: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/63.jpg)
JSON Web Tokens (JWT)
So, what’s the catch?
• Implicit trust is a tradeoff – how long
should the token be good for? how will you
revoke it? (Another talk: refresh tokens)
• You still have to secure your cookies!
• You have to be mindful of what you store in
the JWT if they are not encrypted. No
sensitive info!
Learn more at Stormpath.com
![Page 64: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/64.jpg)
Authorization
Learn more at Stormpath.com
![Page 65: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/65.jpg)
Authorization
• JWT Claims can have whatever you want
• Use a scope field that contains a list of
permissions for that user
• Client can inspect the claims and scope and turn
on or off features based on permissions*
• *Server must always assert permissions
Learn more at Stormpath.com
![Page 66: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/66.jpg)
In addition to user authentication and data security, Stormpath can handle authentication and authorization for your API, SPA or mobile app.
• API Authentication
• API Key Management
• Authorization
• Token Based Authentication
• OAuth
• JWTs
http://docs.stormpath.com/guides/api-key-management/
Implementations in your Library of choice:
https://docs.stormpath.com/home/
Use Stormpath for API
Authentication & Security
Learn more at Stormpath.com
![Page 67: Rest API Security](https://reader036.vdocuments.mx/reader036/viewer/2022082218/55a791911a28ab3a478b47d7/html5/thumbnails/67.jpg)
Follow Us on Twitter
@lhazlewood @goStormpath
Learn more at Stormpath.com