Understanding API Security
Justin Richer and Antonio Sanso
  • February 2017
  • ISBN 9781617294327
  • 205 pages

Gone are the days when it was acceptable for a piece of software to live in its own little silo, disconnected from the outside world. Today, services are expected to be available for programming, mixing, and building into new applications. The web-based Application Programming Interface, or API, is how services make themselves available in this dynamic world. By exposing an API, a service can find new life and utility far beyond what its core functionality was designed to be. But these APIs need to be secured and protected in order to be truly useful. An API that's simply left open to everyone, with no security controls, cannot be used to protect personalized or sensitive information, which severely limits its usefulness.

The OAuth delegation and authorization protocol is one of the most popular standards for API security today. Understanding API Security is a selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.

Table of Contents detailed table of contents


Part 1: The OAuth Dance

2 The OAuth Dance

2.1 Overview of the OAuth 2.0 protocol: getting and using tokens

2.2 Following an OAuth authorization grant in detail

2.3 OAuth’s actors: clients, authorization servers, resource owners, and protected resources

2.4 OAuth Components: Tokens, scopes, and authorization grants

2.4.1 Access tokens

2.4.2 Scopes

2.4.3 Refresh tokens

2.4.4 Authorization grants

2.5 Interactions between OAuth’s actors and components: back channel, front channel, and endpoints

2.5.1 Back-channel Communication

2.5.2 Front-channel Communication

2.6 Summary

What’s inside

Part 2: Working with Web APIs

2 Working with web APIs

2.1 HTTP basics

2.1.1 HTTP request

2.1.2 HTTP response

2.1.3 HTTP interactions

2.2 The Toppings API

2.3 Designing the API

2.4 Using a web API

2.4.1 Browser

2.4.2 Command line (curl)

2.4.3 HTTP sniffers

2.5 Interaction between the API and client

2.6 Install your own API and front end

2.6.1 Installing the system via Docker

2.6.2 Installing the system via Git

2.6.3 Exploring the code

2.7 Summary

What’s inside

Part 3: Communicating with the Server

7 Communicating with the server

7.1 Understanding the project requirements

7.2 Exploring the communication process

7.2.1 Choosing a data type

7.2.2 Using a supported HTTP request method

7.2.3 Converting the data

7.3 Using MV* frameworks

7.3.1 Generating requests

7.3.2 Processing results with callbacks

7.3.3 Processing results with promises

7.3.4 Promise error handling

7.4 Consuming RESTful web services

7.4.1 What is REST?

7.4.2 REST principles

7.4.3 How MV* frameworks help us be RESTful

7.5 Project details

7.5.1 Configuring REST calls

7.5.2 Adding product items to the cart

7.5.3 Viewing the cart

7.5.4 Updating the cart

7.5.5 Removing products from the cart

7.6 Chapter challenge

7.7 Summary

What's inside

Part 4: Sharing and Securing Web Things

9 Share: Securing and sharing web Things

9.1 Securing Things

9.1.1 Encryption 101

9.1.2 Web security with TLS: the S of HTTPS!

9.1.3 Enabling HTTPS and WSS with TLS on your Pi

9.2 Authentication and access control

9.2.1 Access control with REST and API tokens

9.2.2 OAuth: a web authorization framework

9.3 The Social Web of Things

9.3.1 A Social Web of Things authentication proxy

9.3.2 Implementing a Social WoT authentication proxy

9.4 Beyond the book

9.5 Summary

What’s inside

Part 5: What Is Amazon Web Services?

1 What Is Amazon Web Services?

1.1 What is cloud computing?

1.2 What can you do with AWS?

1.2.1 Hosting a web shop

1.2.2 Running a Java EE application in your private network

1.2.4 Implementing a fault-tolerant system architecture

1.3 How you can benefit from using AWS

1.3.1 Innovative and fast-growing platform

1.3.2 Services solve common problems

1.3.3 Enabling automation

1.3.4 Flexible capacity (scalability)

1.3.5 Built for failure (reliability)

1.3.6 Reducing time to market

1.3.7 Benefiting from economies of scale

1.3.8 Worldwide

1.3.9 Professional partner

1.4 How much does it cost?

1.4.1 Free Tier

1.4.2 Billing example

1.4.3 Pay-per-use opportunities

1.5 Comparing alternatives

1.6 Exploring AWS services

1.7 Interacting with AWS

1.7.1 Management Console

1.7.2 Command-line interface

1.7.3 SDKs

1.7.4 Blueprints

1.8 Creating an AWS account

1.8.1 Signing up

1.8.2 Signing In

1.8.3 Creating a key pair

1.8.4 Creating a billing alarm

1.9 Summary

What’s inside

Part 6: Implementing Security as a Service

8 Implementing security as a service

8.1 Security as a service

8.1.1 Is a security service technically feasible?

8.1.2 Standards for implementing security as a service

8.2 Analyzing possible uses of a security service

8.2.1 Use case 1: Destination endpoint invokes security service out-of-band

8.2.2 Use case 2: Source endpoint invokes security service out-of-band

8.2.3 Use case 3: Both endpoints invoke security service out-of-band

8.2.4 Use case 4: Security service as an explicit intermediary

8.2.5 Use case 5: Security service as an implicit intermediary

8.3 Conveying the findings of a security service: SAML

8.3.1 SAML assertion basics

8.3.2 AuthenticationStatement: Asserting authentication results

8.3.3 AttributeStatement: Asserting user attributes

8.3.4 AuthorizationDecisionStatement: Asserting authorization decisions

8.4 Example implementation using OpenSAML

8.4.1 Client-side implementation

8.4.2 Security service implementation

8.4.3 Server-side implementation

8.5 Standards for security service interfaces

8.5.1 WS-Trust

8.5.2 SAML protocol

8.6 Summary

8.7 Suggestions for further reading

What’s inside


About the authors

Justin Richer and Antonio Sanso, authors of OAuth 2 in Action, introduce you to topics including understanding OAuth, working with web APIs, communicating with servers, security in the AWS cloud, and implementing security as a service. Plus, you'll get a sample of some other Manning books you may want to add to your library.

eBook $0.00 PDF only

FREE domestic shipping on three or more pBooks