Solved: Re: Protecting the API using OAuth

ateebshaik · 09-05-2023 04:39 AM

Hi ,

I understand how OAuth works with the access token and grant types. My Question is how can we secure the first call where the user has to pass the Apigee client id and client secret to generate the access token ? If anyone gets hold of the client key and client secret they can start generating tokens and use them as desired. How can we prevent this ?

Thanks

dchiesa1

If anyone gets hold of the client key and client secret they can start generating tokens and use them as desired.

Correct.

How can we prevent this ?

Your question is about securing the token acquisition process. You might think of it as the boot-strapping process. The OAuth token concept is valuable because the credential (the token) is short-lived, which means if it is compromised, the window of vulnerability is relatively low. If you make your token lifetimes 30 minutes, then a malicious party that obtains the token would have only 30 minutes to exploit it before the token becomes un-usable. This is handy, a good way to reduce the impact of a credential leak. but obviously that cannot be your only approach to security.

If you are concerned about the client id and secret leaking, I would challenge you to think about HOW. that might occur. Just what are you protecting against here? There are different possibilities, here are some I can think of:

The client id and secret get distributed via an insecure mechanism, like email. In which case, an unscrupulous or corrupted (pwned) middleman might steal the id+secret and then be able to use it independently.
the client is a public client, it runs on consumer devices, and there's no guarantee the users of these devices are trustworthy. Any hacker will be able to de-compile the client code and retrieve the id+secret embedded into the client.
you're concerned about TLS zero-day exploits, or MiTM attacks, in which the id+secret pair get logged and exposed during normal use. The RFC6749 request-for-token transmits the id+secret pair, and some insecure link in the chain might intercept that request and leak the id+secret.
there is an untrusted developer who has access to the id+secret and that person distributes the id+secret to some other party.
some other supply-chain leak. For example a corrupted library that logs requests to a malicious sink, allowing a hacker to see all traffic sent by the client.

Each of these is different scenarios and might require different approaches.

One approach is to use a TLS certificate on the client side, and couple the id+secret to that TLS certificate. If your oauth endpoint receives a request-for-token that does not use the matching tLS cert, then ... you should reject the request-for-token. This is similar to, but slightly different than, what is known as "OAuth token binding".

If you're worried about the id+secret leaking during normal use, then you can rely on a RFC 7523 -style request-for-token, in which the secret is never transmitted. Instead the client forms the request-for-token as a JWT, signed using the secret as a key. This protect you against TLS zero-day exploits, or weak TLS ciphers, but won't protect you against untrusted saboteurs in your dev team, who leak credentials purposefully.

Rotating the client id+secret pair periodically can provide a failsafe against any of the above leaks. But it means you need to distribute new credentials fairly often.

For any sort of token mis-use, you should be monitoring traffic and use of the tokens to check for anomalous behavior, and then you should block the token (or the original id+secret) immediately and automatically. Apigee's Advanced API security is designed for that purpose.

Bottom line, you need to think systematically about the things you're protecting against, before taking steps to "Secure" the token dispensing endpoint.

View solution in original post

API-Evangelist

There are few ways to protect if you don't trust or you are dealing with public clients.

You can enforce below

 1.mTLS (may be also enable stronger cipher restrictions too on it)

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

 2.IP Whitelisting  

ateebshaik

Hi Thanks for the quick response. We already have a vhost with IP whitelisting and mTLS . The other vhost is public where there is no restriction also not every Consumer will have an IT Team to support the certificate signing and can have dynamic IP as this is exposed to public . How can we protect in those cases ?

API-Evangelist

Unsure on your Interesting questions 🙂 & assumptions on client side.You may need to speak to your app security and learn the ways to expose a Public API. It take a lot to expose public facing api & one needs understand the importance & plan on appropriate security guardrails before doing so..Also who ever client is being on-board you may want to help them aware of the importance of the keys & plan on appropriate key rotation policy enforced at your end. May be plan a action on negative scenario on key compromise

If you use OAuth you strictly follow the standard specification.

Alternate may be use HMAC signature with IP whitelist with a combination & send via header.

example ->

The signature contains following elements that are each separated by a new line and are in the same order as this list:
ts (The time stamp is an element of the signature. The time stamp is Unix Epoch time in milliseconds.)
nonce (Unique identifier string)
host (Server name to which you want to submit an API call)
resourcepath(Path name to which you want to submit an API call)
bodyhash (Hash of the message body using the HMAC Sha256 algorithm..The body hash is an element of the signature.)
Your secret key is used to generate the hash and the signature.)

Good Luck.

dchiesa1

If anyone gets hold of the client key and client secret they can start generating tokens and use them as desired.

Correct.

How can we prevent this ?

Your question is about securing the token acquisition process. You might think of it as the boot-strapping process. The OAuth token concept is valuable because the credential (the token) is short-lived, which means if it is compromised, the window of vulnerability is relatively low. If you make your token lifetimes 30 minutes, then a malicious party that obtains the token would have only 30 minutes to exploit it before the token becomes un-usable. This is handy, a good way to reduce the impact of a credential leak. but obviously that cannot be your only approach to security.

If you are concerned about the client id and secret leaking, I would challenge you to think about HOW. that might occur. Just what are you protecting against here? There are different possibilities, here are some I can think of:

The client id and secret get distributed via an insecure mechanism, like email. In which case, an unscrupulous or corrupted (pwned) middleman might steal the id+secret and then be able to use it independently.
the client is a public client, it runs on consumer devices, and there's no guarantee the users of these devices are trustworthy. Any hacker will be able to de-compile the client code and retrieve the id+secret embedded into the client.
you're concerned about TLS zero-day exploits, or MiTM attacks, in which the id+secret pair get logged and exposed during normal use. The RFC6749 request-for-token transmits the id+secret pair, and some insecure link in the chain might intercept that request and leak the id+secret.
there is an untrusted developer who has access to the id+secret and that person distributes the id+secret to some other party.
some other supply-chain leak. For example a corrupted library that logs requests to a malicious sink, allowing a hacker to see all traffic sent by the client.

Each of these is different scenarios and might require different approaches.

One approach is to use a TLS certificate on the client side, and couple the id+secret to that TLS certificate. If your oauth endpoint receives a request-for-token that does not use the matching tLS cert, then ... you should reject the request-for-token. This is similar to, but slightly different than, what is known as "OAuth token binding".

If you're worried about the id+secret leaking during normal use, then you can rely on a RFC 7523 -style request-for-token, in which the secret is never transmitted. Instead the client forms the request-for-token as a JWT, signed using the secret as a key. This protect you against TLS zero-day exploits, or weak TLS ciphers, but won't protect you against untrusted saboteurs in your dev team, who leak credentials purposefully.

Rotating the client id+secret pair periodically can provide a failsafe against any of the above leaks. But it means you need to distribute new credentials fairly often.

For any sort of token mis-use, you should be monitoring traffic and use of the tokens to check for anomalous behavior, and then you should block the token (or the original id+secret) immediately and automatically. Apigee's Advanced API security is designed for that purpose.

Bottom line, you need to think systematically about the things you're protecting against, before taking steps to "Secure" the token dispensing endpoint.

ateebshaik

Thanks @dchiesa1 and @API-Evangelist for your valuable inputs .