| Description |
1 online resource (xiv, 233 pages) : illustrations |
|
text file PDF rda |
| Note |
Includes index. |
| Summary |
This book will guide you you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. It will explain, in depth, securing APIs from traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it. This book will: provide an in depth tutorial of most widely adopted security standards for API security; teach you how to compare and contrast different security standards/protocols to find out what suits your business needs the best; show you how to expand business APIs to partners and outsiders with Identity Federation; get hands-on experience in developing clients against Facebook, Twitter, and Salesforce APIs, as well as give you an understanding of mitigation security threats. -- Edited summary from book. |
| Contents |
Machine generated contents note: API Evolution -- API vs. Managed API -- API vs. Service -- Discovering and Describing APIs -- Managed APIs in Practice -- Twitter API -- Salesforce API -- Summary -- Design Challenges -- User Comfort -- Design Principles -- Least Privilege -- Fail-Safe Defaults -- Economy of Mechanism -- Complete Mediation -- Open Design -- Separation of Privilege -- Least Common Mechanism -- Psychological Acceptability -- Confidentiality, Integrity, Availability (CIA) -- Confidentiality -- Integrity -- Availability -- Security Controls -- Authentication -- Authorization -- Nonrepudiation -- Auditing -- Security Patterns -- Direct Authentication Pattern -- Sealed Green Zone Pattern -- Least Common Mechanism Pattern -- Brokered Authentication Pattern -- Policy-Based Access Control Pattern -- Threat Modeling -- Summary -- HTTP Basic Authentication -- HTTP Digest Authentication -- Summary -- Evolution of TLS -- How TLS Works -- TLS Handshake -- Application Data Transfer -- Summary -- Direct Delegation vs. Brokered Delegation -- Evolution of Identity Delegation -- Google ClientLogin -- Google AuthSub -- Flickr Authentication API -- Yahoo! Browser-Based Authentication (BBAuth) -- Summary -- Token Dance -- Temporary-Credential Request Phase -- Resource-Owner Authorization Phase -- Token-Credential Request Phase -- Invoking a Secured Business API with OAuth 1.0 -- Demystifying oauth_signature -- Three-Legged OAuth vs. Two-Legged OAuth -- OAuth WRAP -- Summary -- OAuth WRAP -- Client Account and Password Profile -- Assertion Profile4 -- Username and Password Profile -- Web App Profile -- Rich App Profile -- Accessing a WRAP-Protected API -- WRAP to OAuth 2.0 -- OAuth 2.0 Grant Types -- Authorization Code Grant Type -- Implicit Grant Type -- Resource Owner Password Credentials Grant Type -- Client Credentials Grant Type -- OAuth 2.0 Token Types -- OAuth 2.0 Bearer Token Profile -- OAuth 2.0 Client Types -- OAuth 2.0 and Facebook -- OAuth 2.0 and LinkedIn -- OAuth 2.0 and Salesforce -- OAuth 2.0 and Google -- Authentication vs. Authorization -- Summary -- Bearer Token vs. MAC Token -- Obtaining a MAC Token -- Invoking an API Protected with the OAuth 2.0 MAC Token Profile -- Calculating the MAC -- MAC Validation by the Resource Server -- OAuth Grant Types and the MAC Token Profile -- OAuth 1.0 vs. OAuth 2.0 MAC Token Profile -- Summary -- Token Introspection Profile -- XACML and OAuth Token Introspection -- Chain Grant Type Profile -- Dynamic Client Registration Profile -- Token Revocation Profile -- Summary -- ProtectServe -- UMA and OAuth -- UMA Architecture -- UMA Phases -- UMA Phase 1: Protecting a Resource -- UMA Phase 2: Getting Authorization -- UMA Phase 3: Accessing the Protected Resource -- UMA APIs -- Protection API -- Authorization API -- Role of UMA in API Security -- Summary -- Enabling Federation -- Brokered Authentication -- SAML 2.0 Profile for OAuth: Client Authentication -- SAML 2.0 Profile for OAuth: Grant Type -- JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants -- Summary -- Brief History of OpenID Connect -- Understanding OpenID Connect -- Anatomy of the ID Token -- OpenID Connect Request -- Requesting User Attributes -- Grant Types for OpenID Connect -- Requesting Custom User Attributes -- OpenID Connect Discovery -- OpenID Connect Identity Provider Metadata -- OpenID Connect Dynamic Client Registration -- OpenID Connect for Securing APIs -- Summary -- JSON Web Token -- JOSE Working Group -- JSON Web Signature -- Signature Algorithms -- Serialization -- JSON Web Encryption -- Content Encryption vs. Key Wrapping -- Serialization -- Summary -- Direct Authentication with the Trusted Subsystem Pattern -- Single Sign-On with the Delegated Access Control Pattern -- Single Sign-On with the Integrated Windows Authentication Pattern -- Identity Proxy with the Delegated Access Control Pattern -- Delegated Access Control with the JSON Web Token Pattern -- Nonrepudiation with the JSON Web Signature Pattern -- Chained Access Delegation Pattern -- Trusted Master Access Delegation Pattern -- Resource Security Token Service (STS) with the Delegated Access Control Pattern -- Delegated Access Control with the Hidden Credentials Pattern -- Summary. |
| Language |
English. |
| Subject |
Application program interfaces (Computer software) -- Security measures.
|
|
Computer security.
|
|
Interfaces de programmation d'applications -- Sécurité -- Mesures. |
|
Sécurité informatique. |
|
Computer security |
| Other Form: |
Printed edition: 9781430268185 |
| ISBN |
9781430268178 (electronic bk.) |
|
1430268174 (electronic bk.) |
| Standard No. |
10.1007/978-1-4302-6817-8 doi |
|
More Resources