Advanced API security : securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE /

Mostrar otras versiones (1)

This book will guide you you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. It will explain, in depth, securing APIs from traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it. This book will: provide a...

Descripción completa

Detalles Bibliográficos
Clasificación:Libro Electrónico
Autor principal: Siriwardena, Prabath (Autor)
Formato: Electrónico eBook
Idioma:Inglés
Publicado: [Berkeley, CA] : Apress, 2014.
Temas:
Application program interfaces (Computer software) > Security measures.
Computer security.
Interfaces de programmation d'applications > Sécurité > Mesures.
Sécurité informatique.
COMPUTERS > Security > General.
Computer security
Acceso en línea:Texto completo (Requiere registro previo con correo institucional)
Tabla de Contenidos:
  • Machine generated contents note: API Evolution
  • API vs. Managed API
  • API vs. Service
  • Discovering and Describing APIs
  • Managed APIs in Practice
  • Twitter API
  • Salesforce API
  • Summary
  • Design Challenges
  • User Comfort
  • Design Principles
  • Least Privilege
  • Fail-Safe Defaults
  • Economy of Mechanism
  • Complete Mediation
  • Open Design
  • Separation of Privilege
  • Least Common Mechanism
  • Psychological Acceptability
  • Confidentiality, Integrity, Availability (CIA)
  • Confidentiality
  • Integrity
  • Availability
  • Security Controls
  • Authentication
  • Authorization
  • Nonrepudiation
  • Auditing
  • Security Patterns
  • Direct Authentication Pattern
  • Sealed Green Zone Pattern
  • Least Common Mechanism Pattern
  • Brokered Authentication Pattern
  • Policy-Based Access Control Pattern
  • Threat Modeling
  • Summary
  • HTTP Basic Authentication
  • HTTP Digest Authentication
  • Summary
  • Evolution of TLS
  • How TLS Works
  • TLS Handshake
  • Application Data Transfer
  • Summary
  • Direct Delegation vs. Brokered Delegation
  • Evolution of Identity Delegation
  • Google ClientLogin
  • Google AuthSub
  • Flickr Authentication API
  • Yahoo! Browser-Based Authentication (BBAuth)
  • Summary
  • Token Dance
  • Temporary-Credential Request Phase
  • Resource-Owner Authorization Phase
  • Token-Credential Request Phase
  • Invoking a Secured Business API with OAuth 1.0
  • Demystifying oauth_signature
  • Three-Legged OAuth vs. Two-Legged OAuth
  • OAuth WRAP
  • Summary
  • OAuth WRAP
  • Client Account and Password Profile
  • Assertion Profile4
  • Username and Password Profile
  • Web App Profile
  • Rich App Profile
  • Accessing a WRAP-Protected API
  • WRAP to OAuth 2.0
  • OAuth 2.0 Grant Types
  • Authorization Code Grant Type
  • Implicit Grant Type
  • Resource Owner Password Credentials Grant Type
  • Client Credentials Grant Type
  • OAuth 2.0 Token Types
  • OAuth 2.0 Bearer Token Profile
  • OAuth 2.0 Client Types
  • OAuth 2.0 and Facebook
  • OAuth 2.0 and LinkedIn
  • OAuth 2.0 and Salesforce
  • OAuth 2.0 and Google
  • Authentication vs. Authorization
  • Summary
  • Bearer Token vs. MAC Token
  • Obtaining a MAC Token
  • Invoking an API Protected with the OAuth 2.0 MAC Token Profile
  • Calculating the MAC
  • MAC Validation by the Resource Server
  • OAuth Grant Types and the MAC Token Profile
  • OAuth 1.0 vs. OAuth 2.0 MAC Token Profile
  • Summary
  • Token Introspection Profile
  • XACML and OAuth Token Introspection
  • Chain Grant Type Profile
  • Dynamic Client Registration Profile
  • Token Revocation Profile
  • Summary
  • ProtectServe
  • UMA and OAuth
  • UMA Architecture
  • UMA Phases
  • UMA Phase 1: Protecting a Resource
  • UMA Phase 2: Getting Authorization
  • UMA Phase 3: Accessing the Protected Resource
  • UMA APIs
  • Protection API
  • Authorization API
  • Role of UMA in API Security
  • Summary
  • Enabling Federation
  • Brokered Authentication
  • SAML 2.0 Profile for OAuth: Client Authentication
  • SAML 2.0 Profile for OAuth: Grant Type
  • JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • Summary
  • Brief History of OpenID Connect
  • Understanding OpenID Connect
  • Anatomy of the ID Token
  • OpenID Connect Request
  • Requesting User Attributes
  • Grant Types for OpenID Connect
  • Requesting Custom User Attributes
  • OpenID Connect Discovery
  • OpenID Connect Identity Provider Metadata
  • OpenID Connect Dynamic Client Registration
  • OpenID Connect for Securing APIs
  • Summary
  • JSON Web Token
  • JOSE Working Group
  • JSON Web Signature
  • Signature Algorithms
  • Serialization
  • JSON Web Encryption
  • Content Encryption vs. Key Wrapping
  • Serialization
  • Summary
  • Direct Authentication with the Trusted Subsystem Pattern
  • Single Sign-On with the Delegated Access Control Pattern
  • Single Sign-On with the Integrated Windows Authentication Pattern
  • Identity Proxy with the Delegated Access Control Pattern
  • Delegated Access Control with the JSON Web Token Pattern
  • Nonrepudiation with the JSON Web Signature Pattern
  • Chained Access Delegation Pattern
  • Trusted Master Access Delegation Pattern
  • Resource Security Token Service (STS) with the Delegated Access Control Pattern
  • Delegated Access Control with the Hidden Credentials Pattern
  • Summary.

Ejemplares similares