Web API Authentication Protocols
Breno de Medeiros
Web-based applications often expose APIs that third-parties integrate with to provide added-value services, benefiting users, enhancing the application profile, and creating new business opportunities. While some of these APIs expose public data, many do expose proprietary or private data. Secure access to this data must then be mediated via delegated access protocols to establish that the 3rd party is authorized to access the non-public data. This talk will discuss some of the practical constraints unique to the web application environment that have motivated or constrained design decisions around authentication protocols for the web, and their implications for security. The talk will concentrate on open standard protocols, e.g., SAML, OpenID 2.0, and OAuth (1.0/1.0a/2.0). One security case study will be discussed in more detail: The session fixation attack discovered for OAuth 1.0, the corresponding fix introduced in OAuth 1.0a.