Advanced API Security : OAuth 2. 0 and Beyond /
Saved in:
Author / Creator: | Siriwardena, Prabath. |
---|---|
Edition: | 2nd ed. |
Imprint: | Berkeley, CA : Apress L.P., 2020. |
Description: | 1 online resource (455 pages) |
Language: | English |
Subject: | |
Format: | E-Resource Book |
URL for this record: | http://pi.lib.uchicago.edu/1001/cat/bib/12602962 |
Table of Contents:
- Intro
- Table of Contents
- About the Author
- Acknowledgments
- Introduction
- Chapter 1: APIs Rule!
- API Economy
- Amazon
- Salesforce
- Uber
- Netflix
- Walgreens
- Governments
- IBM Watson
- Open Banking
- Healthcare
- Wearables
- Business Models
- The API Evolution
- API Management
- The Role of APIs in Microservices
- Summary
- Chapter 2: Designing Security for APIs
- Trinity of Trouble
- Design Challenges
- User Experience
- Performance
- Weakest Link
- Defense in Depth
- Insider Attacks
- Security by Obscurity
- Design Principles
- Least Privilege
- Fail-Safe Defaults
- Economy of Mechanism
- Complete Mediation
- Open Design
- Separation of Privilege
- Least Common Mechanism
- Psychological Acceptability
- Security Triad
- Confidentiality
- Integrity
- Availability
- Security Control
- Authentication
- Something You Know
- Something You Have
- Something You Are
- Authorization
- Nonrepudiation
- Auditing
- Summary
- Chapter 3: Securing APIs with Transport Layer Security (TLS)
- Setting Up the Environment
- Deploying Order API
- Securing Order API with Transport Layer Security (TLS)
- Protecting Order API with Mutual TLS
- Running OpenSSL on Docker
- Summary
- Chapter 4: OAuth 2.0 Fundamentals
- Understanding OAuth 2.0
- OAuth 2.0 Actors
- Grant Types
- Authorization Code Grant Type
- Implicit Grant Type
- Resource Owner Password Credentials Grant Type
- Client Credentials Grant Type
- Refresh Grant Type
- How to Pick the Right Grant Type?
- OAuth 2.0 Token Types
- OAuth 2.0 Bearer Token Profile
- OAuth 2.0 Client Types
- JWT Secured Authorization Request (JAR)
- Pushed Authorization Requests (PAR)
- Summary
- Chapter 5: Edge Security with an API Gateway
- Setting Up Zuul API Gateway
- Running the Order API
- Running the Zuul API Gateway
- What Happens Underneath?
- Enabling TLS for the Zuul API Gateway
- Enforcing OAuth 2.0 Token Validation at the Zuul API Gateway
- Setting Up an OAuth 2.0 Security Token Service (STS)
- Testing OAuth 2.0 Security Token Service (STS)
- Setting Up Zuul API Gateway for OAuth 2.0 Token Validation
- Enabling Mutual TLS Between Zuul API Gateway and Order Service
- Securing Order API with Self-Contained Access Tokens
- Setting Up an Authorization Server to Issue JWT
- Protecting Zuul API Gateway with JWT
- The Role of a Web Application Firewall (WAF)
- Summary
- Chapter 6: OpenID Connect (OIDC)
- From OpenID to OIDC
- Amazon Still Uses OpenID 2.0
- Understanding OpenID Connect
- Anatomy of the ID Token
- OpenID Connect Request
- Requesting User Attributes
- OpenID Connect Flows
- Requesting Custom User Attributes
- OpenID Connect Discovery
- OpenID Connect Identity Provider Metadata
- Dynamic Client Registration
- OpenID Connect for Securing APIs
- Summary
- Chapter 7: Message-Level Security with JSON Web Signature
- Understanding JSON Web Token (JWT)
- JOSE Header