1 / 19

Securing RESTful Payment APIs Using OAuth 2

Audio from this session is available at https://archive.org/details/rest_apis_with_oauth2 Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

jcleblanc
Download Presentation

Securing RESTful Payment APIs Using OAuth 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing RESTful Payment APIs Using OAuth 2 Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc

  2. The Ultimate Decision Security Usability

  3. What a RESTful API isn’t Our API is RESTful, we support GET, PUT, POST, and DELETE requests No…actually you just support HTTP…like the rest of the web.

  4. What a RESTful API is Honor HTTP request verbs Use proper HTTP status codes No version numbering in URIs Return format via HTTP Accept header Double Rainbow: Discovery via HATEOAS

  5. Does Anyone Actually Do That? Very few APIs follow pragmatic REST principles

  6. "links": [{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y", "rel": "self", "method": "GET" },{ "href": "https://www.sandbox.paypal.com/webscr? cmd=_express-checkout&token=EC-6019609", "rel": "approval_url", "method": "REDIRECT" },{ "href": "https://api.sandbox.paypal.com/v1/payments/ payment/PAY-6RV75EKEYSZ6Y/execute", "rel": "execute", "method": "POST" } ]

  7. When You Need Access Security

  8. A Few Different Flavors of Usage User login (authentication) User Involvement (authorization) Application only (bearer tokens)

  9. Our App Usage: Bearer Tokens

  10. Making Your Definitions <?php define("CLIENT_ID", "YOUR CLIENT ID"); define("CLIENT_SECRET", "YOUR CLIENT SECRET"); define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/"); define("URI_LIVE", "https://api.paypal.com/v1/"); ?>

  11. class paypal{ private $access_token; private $token_type; public function __construct(){ $postvals = "grant_type=client_credentials"; $uri = URI_SANDBOX . "oauth2/token"; $auth_response = self::curl($uri, 'POST', $postvals, true); $this->access_token = $auth_response['body']->access_token; $this->token_type = $auth_response['body']->token_type; } … }

  12. private function curl($url, $method = 'GET', $postvals = null, $auth = false){ $ch = curl_init($url); if ($auth){ $headers = array("Accept: application/json", "Accept-Language: en_US"); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET); } else { $headers = array("Content-Type:application/json", "Authorization:{$this->token_type} {$this->access_token}"); }

  13. $options = array( CURLOPT_HEADER => true, CURLINFO_HEADER_OUT => true, CURLOPT_HTTPHEADER => $headers, CURLOPT_RETURNTRANSFER => true, CURLOPT_VERBOSE => true, CURLOPT_TIMEOUT => 10 ); if ($method == 'POST'){ $options[CURLOPT_POSTFIELDS] = $postvals; $options[CURLOPT_CUSTOMREQUEST] = $method; } curl_setopt_array($ch, $options); $response = curl_exec($ch); return $response; }

  14. Making a Call with the Token public function process_payment($request){ $postvals = $request; $uri = URI_SANDBOX . "payments/payment"; return self::curl($uri, 'POST', $postvals); }

  15. The Last Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend

  16. Thank You! Questions? www.slideshare.com/jcleblanc Jonathan LeBlanc Principal Developer Evangelist (PayPal) Github: http://github.com/jcleblanc Twitter: @jcleblanc

More Related