Intro -- Table of Contents -- About the Author -- Acknowledgments -- Introduction -- Chapter 1: APIs Rule! -- API Economy -- Amazon -- Salesforce -- Uber -- Facebook -- Netflix -- Walgreens -- Governments -- IBM Watson -- Open Banking -- Healthcare -- Wearables -- Business Models -- The API Evolution -- API Management -- The Role of APIs in Microservices -- Summary -- Chapter 2: Designing Security for APIs -- Trinity of Trouble -- Design Challenges -- User Experience -- Performance -- Weakest Link -- Defense in Depth -- Insider Attacks -- Security by Obscurity -- Design Principles
Least Privilege -- Fail-Safe Defaults -- Economy of Mechanism -- Complete Mediation -- Open Design -- Separation of Privilege -- Least Common Mechanism -- Psychological Acceptability -- Security Triad -- Confidentiality -- Integrity -- Availability -- Security Control -- Authentication -- Something You Know -- Something You Have -- Something You Are -- Authorization -- Nonrepudiation -- Auditing -- Summary -- Chapter 3: Securing APIs with Transport Layer Security (TLS) -- Setting Up the Environment -- Deploying Order API -- Securing Order API with Transport Layer Security (TLS)
Protecting Order API with Mutual TLS -- Running OpenSSL on Docker -- Summary -- Chapter 4: OAuth 2.0 Fundamentals -- Understanding OAuth 2.0 -- OAuth 2.0 Actors -- Grant Types -- Authorization Code Grant Type -- Implicit Grant Type -- Resource Owner Password Credentials Grant Type -- Client Credentials Grant Type -- Refresh Grant Type -- How to Pick the Right Grant Type? -- OAuth 2.0 Token Types -- OAuth 2.0 Bearer Token Profile -- OAuth 2.0 Client Types -- JWT Secured Authorization Request (JAR) -- Pushed Authorization Requests (PAR) -- Summary -- Chapter 5: Edge Security with an API Gateway
Setting Up Zuul API Gateway -- Running the Order API -- Running the Zuul API Gateway -- What Happens Underneath? -- Enabling TLS for the Zuul API Gateway -- Enforcing OAuth 2.0 Token Validation at the Zuul API Gateway -- Setting Up an OAuth 2.0 Security Token Service (STS) -- Testing OAuth 2.0 Security Token Service (STS) -- Setting Up Zuul API Gateway for OAuth 2.0 Token Validation -- Enabling Mutual TLS Between Zuul API Gateway and Order Service -- Securing Order API with Self-Contained Access Tokens -- Setting Up an Authorization Server to Issue JWT -- Protecting Zuul API Gateway with JWT
The Role of a Web Application Firewall (WAF) -- Summary -- Chapter 6: OpenID Connect (OIDC) -- From OpenID to OIDC -- Amazon Still Uses OpenID 2.0 -- Understanding OpenID Connect -- Anatomy of the ID Token -- OpenID Connect Request -- Requesting User Attributes -- OpenID Connect Flows -- Requesting Custom User Attributes -- OpenID Connect Discovery -- OpenID Connect Identity Provider Metadata -- Dynamic Client Registration -- OpenID Connect for Securing APIs -- Summary -- Chapter 7: Message-Level Security with JSON Web Signature -- Understanding JSON Web Token (JWT) -- JOSE Header
0
8
8
8
8
Prepare for the next wave of challenges in enterprise security. Learn to better protect, monitor, and manage your public and private APIs. Enterprise APIs have become the common way of exposing business functions to the outside world. Exposing functionality is convenient, but of course comes with a risk of exploitation. This book teaches you about TLS Token Binding, User Managed Access (UMA) 2.0, Cross Origin Resource Sharing (CORS), Incremental Authorization, Proof Key for Code Exchange (PKCE), and Token Exchange. Benefit from lessons learned from analyzing multiple attacks that have taken place by exploiting security vulnerabilities in various OAuth 2.0 implementations. Explore root causes, and improve your security practices to mitigate against similar future exploits. Security must be an integral part of any development project. This book shares best practices in designing APIs for rock-solid security. API security has evolved since the first edition of this book, and the growth of standards has been exponential. OAuth 2.0 is the most widely adopted framework that is used as the foundation for standards, and this book shows you how to apply OAuth 2.0 to your own situation in order to secure and protect your enterprise APIs from exploitation and attack. You will: Securely design, develop, and deploy enterprise APIs Pick security standards and protocols to match business needs Mitigate security exploits by understanding the OAuth 2.0 threat landscape Federate identities to expand business APIs beyond the corporate firewall Protect microservices at the edge by securing their APIs Develop native mobile applications to access APIs securely Integrate applications with SaaS APIs protected with OAuth 2.0.