Thursday, December 12, 2013

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ?
When building a SOAP API you have WS-Security as a guide and much literature exists on the topic. I have found less information about securing REST endpoints.
While I understand REST intentionally does not have specifications analogous to WS-* I am hoping best practices or recommended patterns have emerged.
Any discussion or links to relevant documents would be very much appreciated. If it matters, we would be using WCF with POX/JSON serialized messages for our REST API's/Services built using v3.5 of the .NET Framework.
share|improve this question
add comment

12 Answers

up vote141down voteaccepted
As tweakt said, Amazon S3 is a good model to work with. Their request signatures do have some features (such as incorporating a timestamp) that help guard against both accidental and malicious request replaying.
The nice thing about HTTP Basic is that virtually all HTTP libraries support it. You will, of course, need to require SSL in this case because sending plaintext passwords over the net is almost universally a bad thing. Basic is preferable to Digest when using SSL because even if the caller already knows that credentials are required, Digest requires an extra roundtrip to exchange the nonce value. With Basic, the callers simply sends the credentials the first time.
Once the identity of the client is established, authorization is really just an implementation problem. However, you could delegate the authorization to some other component with an existing authorization model. Again the nice thing about Basic here is your server ends up with a plaintext copy of the client's password that you can simply pass on to another component within your infrastructure as needed.
share|improve this answer
As is mentioned here (…), Amazon S3 is apparently very similiar to two legged OAuth. It might be easier just to standardize on that. –  Will Sargent May 30 '11 at 21:59
@magallanes: Your advice is dangerous and ignorant. Using SSL is always a good idea. –  Greg HewgillMar 21 '12 at 21:46
SSL is an important part of security, but not all applications require that level of encryption. If someone steals in-transit what you are going to post publicly on Twitter, is that such a significant drawback? For the majority of API's SSL encryption is going to be preferred. The infrastructure requirements of SSL are somewhat higher than with plaintext and no intermediate (read here edge based) caching servers can participate in the caching of repeatedly accessed content. Beware, your scalability may suffer if you absolutely require the encryption offered. –  Norman H Jan 1 at 22:19
@NormanH: Your argument is specious, because if somebody can see the entire transaction that I use to post to Twitter, then they could therefore impersonate me and post their own messages under my name. –  Greg Hewgill Jan 2 at 0:51
@GregHewgill yes, I did consider that, however authentication tokens could be encrypted even though the entire channel is not SSL encrypted. –  Norman H Jan 2 at 18:11
show 1 more comment
There are no standards for REST other than HTTP. There are established REST services out there. I suggest you take a peek at them and get a feel for how they work.
For example, we borrowed a lot of ideas from Amazon's S3 REST service when developing our own. But we opted not to use the more advanced security model based on request signatures. The simpler approach is HTTP Basic auth over SSL. You have to decide what works best in your situation.
Also, I highly recommend the book RESTful Web Services from O'reilly. It explains the core concepts and does provide some best practices. You can generally take the model they provide and map it to your own application.
share|improve this answer
RESTful Web Services is definitely a great book. A must read in this area. It was downright inspiring. – EdgarVerona Jan 9 '09 at 21:34
How is it that @aehlke has received so many upvotes for that comment considering (1) there is no such thing as a REST specification and (2) the Fielding Dissertation on the Architectural Styles and the Design of Network-based Software Architectures explicitly mentions REST and HTTP in 6.3: REST Applied to HTTP. – Brian Reindel Apr 15 '12 at 0:37
HTTP is not a requirement for REST. –  nategood May 16 at 19:21
add comment
You may also want to take a look at OAuth, an emerging open protocol for token-based authorization specifically targeting http apis.
It is very similar to the approach taken by flickr and remember the milk "rest" apis (not necessarily good examples of restful apis, but good examples of the token-based approach).
share|improve this answer
But it seems that 2-legged oAuth, which i think is what is need here, isn't covered (lack of info) as much as the 3-legged one. –  redben Nov 11 '10 at 0:04
OAuth is about delegation of authorization i.e. I the owner of the information / account let service A interact with my data on service B (e.g. I let Twitter write on my facebook). It's not authorization in the broader sense which is about controlling what users can do on resources (data, information, services...). This is where XACML steps in. XACML lets you define authorization policies about who can do what. –  David BrossardSep 24 at 22:15
Sorry, but when I see the word apis, I think of bees. –  TRiG Nov 18 at 3:20
add comment
I'm kind of surprised SSL with client certificates hasn't been mentioned yet. Granted, this approach is only really useful if you can count on the community of users being identified by certificates. But a number of governments/companies do issue them to their users. The user doesn't have to worry about creating yet another username/password combination, and the identity is established on each and every connection so communication with the server can be entirely stateless, no user sessions required. (Not to imply that any/all of the other solutions mentioned require sessions)
share|improve this answer
We actually do use this for some integrations as well as encrypted vpn tunnels to support older systems that we don't control that can not communicate over https. –  Casey Sep 5 '12 at 13:55
Client certs can make trouble when you need load balancing... it can be done, but it's less straight-forward. –  fiXedd Oct 15 '12 at 18:11
@fiXedd - The opposite has been my experience with client certs because they are truly stateless. Client cert authenticated connections can be load balanced with a dumb load balancer with no regard to connection stickyness because they require absolutely zero shared state between the client and server. –  stinkymattOct 15 '12 at 19:25
Oh, you can do it.... you can just have the load balancer forward the TCP traffic, but you can't, for instance, have the load balancer be the termination point for the SSL. –  fiXedd Oct 19 '12 at 16:12
add comment
One of the best posts I've ever come across regarding Security as it relates to REST is over at 1 RainDrop. The MySpace API's use OAuth also for security and you have full access to their custom channels in the RestChess code, which I did a lot of exploration with. This was demo'd at Mix and you can find the posting here.
share|improve this answer
Thanks for the link (1 RainDrop) - very interesting discussion of security as it relates to SOAP v REST – Nathan Oct 13 '08 at 23:07
add comment
I've used OAuth a few times, and also used some other methods (BASIC/DIGEST). I wholeheartedly suggest OAuth. The following link is the best tutorial I've seen on using OAuth:
You may also want to look at the NetFlix API documentation.
You should be able to use their services to get an idea of how it works pretty quickly.
share|improve this answer
add comment
Thanks for the excellent advice. We ended up using a custom HTTP header to pass an identity token from the client to the service, in preparation for integrating our RESTful API with the the upcoming Zermatt Identity framework from Microsoft. I have described the problem here and our solution here. I also took tweakt's advice and bought RESTful Web Services - a very good book if you're building a RESTful API of any kind.
share|improve this answer
This approach sounds fishy to me. What prevents an attacker from using the identity token to masquerade the client? HTTPS doesn't protect the URL or headers the last time I checked... –  Gili Oct 3 '08 at 18:10
Hmmm...not sure you're right about that. I believe that except for the few headers required to understand what kind of encryption is required, all other headers are encrypted. –  Nathan Oct 29 '08 at 23:23
That is wrong. HTTPS protects EVERYTHING. It goes: TCP handshake... TLS handshake... GET /foo 200 OK... teardown . –  Mark Renouf Feb 4 '09 at 13:31
I also used custom headers to pass a token. –  Taras B Jan 25 '11 at 11:22
The Wayback Machine is a beautiful thing: problem description and solution –  cjc343 Oct 23 '12 at 20:03
show 3 more comments
I searched a lot about restful ws security and we also ended up with using token via cookie from client to server to authenticate the requests . I used spring security for authorization of requests in service because I had to authenticate and authorized each request based on specified security policies that has already been in DB.
share|improve this answer
add comment
Everyone in these answers has overlooked true access control / authorization.
If for instance your REST APIs / web services are about POSTing / GETing medical records, you may want to define access control policie about who can access the data and under which circumstances. For instance:
  • doctors can GET the medical record of a patient they have a care relationship with
  • no one can POST medical data outside practice hours (e.g. 9 to 5)
  • end-users can GET medical records they own or medical records of patients for whom they are the guardian
  • nurses can UPDATE the medical record of a patient that belongs to the same unit as the nurse.
In order to define and implement those fine-grained authorizations, you will need to use an attribute-based access control language called XACML, the eXtensible Access Control Markup Language.
The other standards here are for the following:
  • OAuth: id. federation and delegation of authorization e.g. letting a service act on my behalf on another service (Facebook can post to my Twitter)
  • SAML: identity federation / web SSO. SAML is very much about who the user is.
  • WS-Security / WS-* standards: these focus on the communication between SOAP services. They are specific to the application-level messaging format (SOAP) and they deal with aspects of messaging e.g. reliability, security, confidentiality, integrity, atomicity, eventing... None cover access control and all are specific to SOAP.
XACML is technology-agnostic. It can be applied to java apps, .NET, Python, Ruby... web services, REST APIs, and more.
The following are interesting resources:
share|improve this answer
add comment


oakleyses said...

louis vuitton handbags, oakley sunglasses, louboutin, longchamp outlet, nike shoes, louis vuitton outlet stores, chanel handbags, burberry outlet, prada outlet, jordan shoes, tiffany and co, michael kors outlet, tory burch outlet, louis vuitton outlet, longchamp handbags, nike free, true religion jeans, michael kors outlet, kate spade outlet, polo ralph lauren outlet, tiffany and co, prada handbags, polo ralph lauren outlet, michael kors outlet, michael kors outlet, longchamp handbags, oakley sunglasses, ray ban sunglasses, kate spade handbags, burberry outlet, louis vuitton outlet, louboutin outlet, louboutin, coach factory outlet, air max, air max, coach outlet, gucci outlet, christian louboutin shoes, michael kors outlet, coach purses, ray ban sunglasses, michael kors outlet, louis vuitton, coach outlet store online, true religion jeans, oakley sunglasses cheap

oakleyses said...

ralph lauren, lululemon, air max, hollister, north face, nike air max, polo lacoste, vanessa bruno, timberland, vans pas cher, louboutin, louis vuitton, oakley pas cher, air max pas cher, nike roshe run, air max, true religion outlet, barbour, sac longchamp, air force, hollister, sac louis vuitton, nike free, polo ralph lauren, nike trainers, louis vuitton uk, nike roshe, sac hermes, longchamp, michael kors, sac burberry, sac guess, mulberry, new balance pas cher, converse pas cher, sac louis vuitton, hogan outlet, nike tn, north face, true religion outlet, ray ban pas cher, michael kors, air jordan, nike blazer, nike free pas cher, michael kors pas cher, abercrombie and fitch, ray ban sunglasses

oakleyses said...

mac cosmetics, mont blanc, marc jacobs, canada goose outlet, nike huarache, vans shoes, soccer jerseys, hollister, giuseppe zanotti, beats by dre, abercrombie and fitch, longchamp, insanity workout, celine handbags, bottega veneta, ghd, nfl jerseys, north face outlet, chi flat iron, ugg boots, birkin bag, ugg australia, canada goose, herve leger, ugg pas cher, rolex watches, valentino shoes, canada goose uk, canada goose, ferragamo shoes, canada goose, ugg boots, uggs outlet, north face jackets, soccer shoes, asics running shoes, new balance shoes, p90x, lululemon outlet, canada goose jackets, mcm handbags, instyler, babyliss pro, ugg, wedding dresses, jimmy choo outlet, reebok outlet, nike roshe run

oakleyses said...

parajumpers, karen millen, air max, converse, pandora charms, moncler, louboutin, moncler, links of london, lancel, juicy couture outlet, oakley, hollister, pandora charms, supra shoes, thomas sabo, canada goose, gucci, wedding dresses, timberland boots, swarovski crystal, air max, coach outlet store online, moncler, ray ban, canada goose, moncler, ugg, louis vuitton, swarovski, hollister, montre homme, moncler, hollister clothing store, ralph lauren, rolex watches, moncler outlet, moncler, iphone 6 cases, baseball bats, juicy couture outlet, toms shoes, vans, pandora jewelry, ugg, converse shoes

Zheng junxai5 said...

kd 7 shoes
gucci outlet online
air jordan shoes
vans outlet
gucci outlet
coach outlet clearance
louis vuitton handbags
nike roshe run mens
concords 11
cheap jordans
nike air force 1 white
oakley sunglasses
michael kors outlet clearance
air jordan shoes
louis vuitton outlet stores
true religion jeans
louis vuitton
louis vuitton handbags
nike store
lebron 12
ralph lauren
polo ralph lauren
louis vuitton purses
christian louboutin outlet
nike store uk
coach outlet online
mont blanc pen
nike air max 90
michael kors outlet
adidas originals store
oakley vault
tods outlet store
cheap oakleys
true religion jeans
discount jordans
true religion outlet store
michael kors outlet
kobe 10
asics shoes for men

raybanoutlet001 said...

kobe sneakers
kobe byrant shoes
ralph lauren online,cheap ralph lauren
michael kors outlet online
fitflops sale
cheap air jordans
huarache shoes
nike huarache sale
cheap jordans
air jordan shoes
michael kors handbags
cheap jordans online
michael kors outlet
michael kors outlet
nike huarache
michael kors handbags,michael kors handbags clearance,michael kors clearance
nfl jerseys from china
true religion store
nmd adidas store
air jordan shoes
adidas yeezy boost
michael kors outlet online