Save to My Lists Export Return to Browse
     
Limit search to available items
Previous Record Next Record
  Permalink    
Book Cover
E-book
Author Siriwardena, Prabath, author

Title Advanced API security : securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE / Prabath Siriwardena
Published [Berkeley, CA] : Apress, 2014
New York, NY : Distributed to the Book trade worldwide by Springer, [2014]
©2014
Click on the following:
Springer eBooks
Springer Professional and Applied Computing eBooks
O'Reilly

Copies

Description 1 online resource (xiv, 233 pages) : illustrations
Contents Machine generated contents note: API Evolution -- API vs. Managed API -- API vs. Service -- Discovering and Describing APIs -- Managed APIs in Practice -- Twitter API -- Salesforce API -- Summary -- Design Challenges -- User Comfort -- Design Principles -- Least Privilege -- Fail-Safe Defaults -- Economy of Mechanism -- Complete Mediation -- Open Design -- Separation of Privilege -- Least Common Mechanism -- Psychological Acceptability -- Confidentiality, Integrity, Availability (CIA) -- Confidentiality -- Integrity -- Availability -- Security Controls -- Authentication -- Authorization -- Nonrepudiation -- Auditing -- Security Patterns -- Direct Authentication Pattern -- Sealed Green Zone Pattern -- Least Common Mechanism Pattern -- Brokered Authentication Pattern -- Policy-Based Access Control Pattern -- Threat Modeling -- Summary -- HTTP Basic Authentication -- HTTP Digest Authentication -- Summary -- Evolution of TLS -- How TLS Works -- TLS Handshake -- Application Data Transfer -- Summary -- Direct Delegation vs. Brokered Delegation -- Evolution of Identity Delegation -- Google ClientLogin -- Google AuthSub -- Flickr Authentication API -- Yahoo! Browser-Based Authentication (BBAuth) -- Summary -- Token Dance -- Temporary-Credential Request Phase -- Resource-Owner Authorization Phase -- Token-Credential Request Phase -- Invoking a Secured Business API with OAuth 1.0 -- Demystifying oauth_signature -- Three-Legged OAuth vs. Two-Legged OAuth -- OAuth WRAP -- Summary -- OAuth WRAP -- Client Account and Password Profile -- Assertion Profile4 -- Username and Password Profile -- Web App Profile -- Rich App Profile -- Accessing a WRAP-Protected API -- WRAP to OAuth 2.0 -- OAuth 2.0 Grant Types -- Authorization Code Grant Type -- Implicit Grant Type -- Resource Owner Password Credentials Grant Type -- Client Credentials Grant Type -- OAuth 2.0 Token Types -- OAuth 2.0 Bearer Token Profile -- OAuth 2.0 Client Types -- OAuth 2.0 and Facebook -- OAuth 2.0 and LinkedIn -- OAuth 2.0 and Salesforce -- OAuth 2.0 and Google -- Authentication vs. Authorization -- Summary -- Bearer Token vs. MAC Token -- Obtaining a MAC Token -- Invoking an API Protected with the OAuth 2.0 MAC Token Profile -- Calculating the MAC -- MAC Validation by the Resource Server -- OAuth Grant Types and the MAC Token Profile -- OAuth 1.0 vs. OAuth 2.0 MAC Token Profile -- Summary -- Token Introspection Profile -- XACML and OAuth Token Introspection -- Chain Grant Type Profile -- Dynamic Client Registration Profile -- Token Revocation Profile -- Summary -- ProtectServe -- UMA and OAuth -- UMA Architecture -- UMA Phases -- UMA Phase 1: Protecting a Resource -- UMA Phase 2: Getting Authorization -- UMA Phase 3: Accessing the Protected Resource -- UMA APIs -- Protection API -- Authorization API -- Role of UMA in API Security -- Summary -- Enabling Federation -- Brokered Authentication -- SAML 2.0 Profile for OAuth: Client Authentication -- SAML 2.0 Profile for OAuth: Grant Type -- JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants -- Summary -- Brief History of OpenID Connect -- Understanding OpenID Connect -- Anatomy of the ID Token -- OpenID Connect Request -- Requesting User Attributes -- Grant Types for OpenID Connect -- Requesting Custom User Attributes -- OpenID Connect Discovery -- OpenID Connect Identity Provider Metadata -- OpenID Connect Dynamic Client Registration -- OpenID Connect for Securing APIs -- Summary -- JSON Web Token -- JOSE Working Group -- JSON Web Signature -- Signature Algorithms -- Serialization -- JSON Web Encryption -- Content Encryption vs. Key Wrapping -- Serialization -- Summary -- Direct Authentication with the Trusted Subsystem Pattern -- Single Sign-On with the Delegated Access Control Pattern -- Single Sign-On with the Integrated Windows Authentication Pattern -- Identity Proxy with the Delegated Access Control Pattern -- Delegated Access Control with the JSON Web Token Pattern -- Nonrepudiation with the JSON Web Signature Pattern -- Chained Access Delegation Pattern -- Trusted Master Access Delegation Pattern -- Resource Security Token Service (STS) with the Delegated Access Control Pattern -- Delegated Access Control with the Hidden Credentials Pattern -- Summary
Summary This book will guide you you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security. It will explain, in depth, securing APIs from traditional HTTP Basic Authentication to OAuth 2.0 and the standards built around it. This book will: provide an in depth tutorial of most widely adopted security standards for API security; teach you how to compare and contrast different security standards/protocols to find out what suits your business needs the best; show you how to expand business APIs to partners and outsiders with Identity Federation; get hands-on experience in developing clients against Facebook, Twitter, and Salesforce APIs, as well as give you an understanding of mitigation security threats. -- Edited summary from book
Notes Includes index
English
Online resource; title from PDF title page (EBSCO, viewed November 30, 2017)
Subject Application program interfaces (Computer software) -- Security measures
Computer security
COMPUTERS -- Security -- General.
Computer security
Form Electronic book
ISBN 9781430268178
1430268174
  Permalink