onsdag, juli 01, 2015

Introducing the Mason Cook Book

I have started an on-line book of recipes for building hypermedia APIs with the Mason (hyper)media type. It is very much work in progress but hopefully I can add one or two recipes a week on my daily train commute to and from work.

The book source is hosted on GitHub and is made available on-line at GitBook in various formats. Later on I may host it another server depending on how GitBook turns out to work with - but so far it has been a nice experience.

You are most welcome to add issues, fork it and send me pull requests for improvements.

tirsdag, juni 16, 2015

Mason Draft 2 ready for use

I am happy to announce that Mason (the JSON + hypermedia format) is now ready for use in Draft 2. See https://github.com/JornWildt/Mason/blob/master/Documentation/Mason-draft-2.md.

For those that haven't heard about Mason before - please take a look at https://github.com/JornWildt/Mason. Mason is a JSON based format with conventions for representing API data and hypermedia control elements.

This version combines links, actions and link templates into one single @controls object. As the name indicates this object contains all the hypermedia elements that control the application.

This move to @controls makes it possible to combine link templates with POST data - and should make it easier to parse and represent hypermedia elements in code.

There are currently no further ideas in the pipeline that could change how things are represented in Mason. Future versions may though add new features.

Feedback is as always appreciated :-)



fredag, december 19, 2014

Announcing Macaroons.Net - a C# implementation of macaroons authorization credentials

In my previous blog post I introduced "macaroons" - a new technique for creating authorization credentials.

But I even went a bit further and created a C# implementation of macaroons called Macaroons.Net. You can find it on GitHub at https://github.com/JornWildt/Macaroons.Net together with examples and documentation.

Have fun.

Macaroons authorization credentials, better than cookies

This was the year I first heard of the term "macaroon" used in the context of the web, authorization frameworks and other crypto stuff. I had absolutely no idea of what it was, but "the web" said it was good, so I got curious and did some studying. It turned out to be a technique for creating authorization tokens with some very interesting properties:
  • Proof carrying: a macaroon carries its own proof of authorization, cryptographically secured.
  • Delegation: a macaroon can be given to another user who can then act on your behalf.
  • Attenuation: any user can further restrict (attenuate) the authorization before sharing the macaroon with others.
  • Distributed authorization: any user can require authorization by other services before using a macaroon.

Here is a small scenario illustrating the above features:
  1. Alice wants to share a set of images on a photo sharing website. Lets call it "Phlocker" for now.
  2. Alice asks Phlocker to create a macaroon which enables access to exactly those images.
  3. Alice sends the macaroon to Bob.
  4. Bob receives the macaroon, most likely as part of a URL to Phlocker, and he uses it to access the images.
  5. Bob decides to share exactly one of the images with Cecilia. So Bob creates a new macaroon from the original macaroon without involving Phlocker at all. This new macaroon "attenuates" the original macaroon and restricts it to the single image.
  6. Bob does not want Cecilia to share the image with others, so he attenuates the macaroon even further by adding the requirement that only Cecilia, as identified by her Twitter account, should be allowed to use the macaroon.
  7. Bob sends the macaroon to Cecilia.
  8. Cecilia receives the macaroon and sees the requirement of being logged into Twitter as Cecilia.
  9. Cecilia interacts with Twitter to prove her identity and Twitter issues a discharge macaroon to Cecilia. This is all done without Twitter knowing why Cecilia needs the authorization.
  10. Cecilia prepares the discharge macaroon for use at Phlocker and sends it together with the original macaroon she received from Bob.
  11. Phlocker checks Cecilia's macaroon from Bob, recognizes the Twitter identity requirement and verifies it with the discharge macaroon.
  12. Cecilia gets to see the single image without being able to see the other images that Alice originally authorized Bob to access.

The technology for this flow is not yet perfect as there are some interoperability problems regarding how to encode third party requirements like "being authorized as Cecilia @ Twitter". But the underlying crypto stuff is solid and published in the paper "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud" by Arnar Birgisson, Joe Gibbs Politz, Úlfar Erlingsson, Ankur Taly, Michael Vrable and Mark Lentczner.

Personally I think this little piece of technology has a great potential for creating distributed system.

lørdag, august 02, 2014

Take away from the 2014 API-Craft conference in Detroit

Last week I attended the 2014 API-Craft conference in Detroit - and I had a great time! Met lots of interesting people, had great conversations and learned a lot about what other people make out there.




Some of the stuff I saw and listen to in Detroit made a few pieces of puzzle click together in my brain. First there was Z who reminded me that we still don't have any good description language for documenting resource oriented hypermedia APIs. I've heard that before and been wondering how it would look like.

Then I talked with Sergey and Dmitri who showed me the resource diagram for their API - this one reminded me so much of UML diagrams that I think we should look into that for inspiration.

I was also at the "Documenting APIs" session where I suddenly found myself talking about our own API documentation - which is written in Word (and that's okay, kind'a). It made me realize that, at its core, such a documentation consists of resource descriptions, link relation descriptions, action descriptions and of course some kind of overview, introduction and tutorial sections.

Someone asked us to explain what a hypermedia API is in one sentence. I came up with "That is an API which can be documented without writing one single absolute URL or relative URL path". I don't exactly think that will catch on, especially not outside this community, but I do believe it is true - if you need to explain URL structures then you are missing something. Unfortunately that one sentence doesn't tell you how to actually implement such an API and as such it is really not very useful.

[I'm pretty sure there is a good Yoda quote to put in here ... like, you now ... "The links with you very strong are here, Luke". Anyone got a better one?]

Dave introduced me to his JSON based description language for APIs and it made me realize that you can do awesome things even in a dead simple format like JSON. Why having to state <twice>everything</twice> when you can do { "single": "everything" }.

Then there were people talking about resources and state machines (thanks again Z). Personally I don't believe much in that analogy - it kind of confuses the graph of resource relationships with the graph of a way-too-simple-never-to-be-found-in-real-life state machine. Z did try to convince me about this but never succeeded - maybe because I am highly colored by my PhD thesis on automatic verification of obnoxiously great state machines :-)

We also got a great deal around API explorers/browsers of various kinds. It seems like every media type have such one now a days - and it makes great sense to me. I truly believe in the power it has when it comes to learning a new API. Thanks to Kristopher Kleva for his story about links, actions and the Sirene browser (you really should blog about that experience!).

I also met Pete Gamache who is the guy behind HyperResource - unfortunately we never really spoke together. He's hypermedia client for Ruby is an interesting solution for interacting with hypermedia APIs in code. Its not exactly new as the same kind of ideas exists in the older tool Restfulie (for Ruby) and my own Ramone library (for C#) - but none the less it shows that there are something worth pursuing here.

All the talks about tooling, SDKs and object models for API resources made me want to work a bit on Ramone and Mason again. It could be cool to make a C# hypermedia resource representation that would allow the client developer to follow links and execute actions in an easy and intuitive way - while at the same time be able to hide some of the stuff that complicates client code in order to make it long lasting and handle (some types of) API changes.

So, thanks to all of you - also those of you that I have forgotten to mention here and of course the people at Apigee that made all of this possible!



torsdag, marts 27, 2014

Modelling a Shipment example as a hypermedia service with Mason

Yesterday I was attending the "RAML" workshop at the API Strategy konference. In this workshop the speakers introduced a very simple little Web API; It allowed a customer to GET a (shipment) quote and afterwards create (POST) an actual shipment request based on the quote.

I decided that it could be fun to hypermedia-ize the example and show how it could be represented using the media type Mason. So here we go :-)

The first step is to ask for a quote; the customer has a package of some sort and needs to ship it from A to B, so he access the shipment service and asks for a quote (a price) given the size, weight, origin and destination for the package.

In the original example you could ask for a quote by issuing a GET request to /quote. But I believe that asking for a quote would result in a concrete quote being created and stored in the system as a separate resource to access later on, either by the customer or by the customer service of the shipment company. So I would rather go for a POST of a quote request followed by a redirect to the newly created quote.

At this point we could either document how to POST such a quote - or we could tell the client how to do it using hypermedia controls - and obviously I would go for the later. So lets ask the service for instructions and issue a GET /quote request. The output is a Mason document with suitable hypermedia controls embedded in it:

{
  "@namespaces":
  {
    "myth":
    {
      "name": "http://mythological-shipment.com/api/rel-types"
    }
  },
  "@actions":
  {
    "myth:quote":
    {
      "type": "json",
      "method": "POST",
      "href": "http://mythological-shipment.com/api/quote",
      "title": "Ask for a quote",
      "description": "Ask for a quote by posting package details. Weight is in kilograms, volume in cubic decimeters, origin and destination must be known identifiers for airports.",

      "schemaUrl": "... URL to JSON schema describing the request ..."
    }
  }
}


The client reads this action specification, encodes the package details in JSON and POST it to the URL of the "href" property. As a result the service creates a new quote resource and redirects the client to it:

Request:

  POST http://mythological-shipment.com/api/quote HTTP/1.1
  content-type: application/json


  {
    "weight": 2.3,
    "volume": 4,
    "origin": "CPH",
    "destination": "AMS"
  }

Response:

  201 Created
  Location: http://mythological-shipment.com/api/quotes/myqo-129-gyh

Now the client can GET the newly created quote to get further instructions of how to accept the quote. The result is again a Mason representation of the quote itself plus hypermedia controls for accepting the quote:

{
  "id": "myqo-129-gyh",
  "weight": 2.3,
  "volume: 4,
  "origin": "CPH",
  "destination": "AMS":
  "price": 12,
  "@links":
  {
    "self":
    {
      "href": "http://mythological-shipment.com/api/quotes/myqo-129-gyh"
    }
  },
  "@actions":
  {
    "myth:accept-quote":
    {
      "type": "POST",
      "href": "http://mythological-shipment.com/api/quotes/myqo-129-gyh/state",
      "template":
      {
        "accepted": "yes"
      }
    }
  }
}


As you can see the quote has a "self" link identifying the location of the quote resource. It also have a "accept-quote" action that instructs the client about how to accept the quote. In this case all the client has to do is to POST a predefined JSON value to http://mythological-shipment.com/api/quotes/myqo-129-gyh/state.

The result of accepting a quote is that it is converted to a sales order (in lack of better domain understanding - there's probably a better word for it). So the accept-quote operation results in a redirect to the newly create sales order which the client can GET:

{
  "id": "myqo-129-gyh",
  "weight": 2.3,
  "volume: 4,
  "origin": "CPH",
  "destination": "AMS":
  "price": 12,
  "@links":
  {
    "self":
    {
      "href": "http://mythological-shipment.com/api/orders/myqo-129-gyh"
    },
    "myth:quote":
    {
      "href": "http://mythological-shipment.com/api/quotes/myqo-129-gyh"
    },
    "myth:shipment-label":
    {
      "href": "http://mythological-shipment.com/api/quotes/myqo-129-gyh/label",
      "type": "application/pdf"
    }
  }
}


At last the customer needs a shipment label to print out and stick onto the package. All it has to do is to follow the "myth:shipment-label" link and GET the PDF. Thats it.

/Jørn

onsdag, februar 26, 2014

API authentication considerations and best practices

I have been answering a few security questions on Stackoverflow and going through some APIs on programmableweb.com - and it keeps amazing me how often people gets HTTP authorization wrong.

The typical questions I have noticed on SO are something like "I want to secure my API, have control of clients and require users to login - but I don't want to use OAuth". Duh? Why not? Perhaps because OAuth is conceived as being too difficult to work with? Well, OAuth2  is definitively not difficult (OAuth1 is another story though).

But lets take a look at some of the existing practices:

API keys in URLs: one example is the Finish National Gallery API (which I somehow stumbled upon). Here you are required to obtain an API key and put it into the URL in every request made to the API:

  http://kokoelmat.fng.fi/api/v2?apikey=********&q=A+III+2172


API keys in custom headers: one example is from DocuSign. They require you to encode both your (developer) user name, password and API key in a JSON object and then send that in a custom header X-DocuSign-Authentication:

  GET /some-url
  X-DocuSign-Authentication: { "Username": "...", "Password": "...", "IntegratorKey": "..." }
  ... more ...


Signed URL/body parameters: one example is last.fm which requires you to use your API key to obtain a session token and use that token later on to sign requests, either using URL parameters or in the body of the HTTP request.

HTTP Basic authentication: GitHub supports authentication via the standard HTTP basic authentication mechanism where you supply username and password BASE64 encoded in the "Authorization" header.

OAuth1 and Oauth2: PhotoBucket uses OAuth1 and BaseCamp uses Oauth2 (in addition to HTTP basic authentication).

I did set out with the expectation of finding many more strange authorization schemes, but it turned out that at least most of the big players use OAuth1 or OAuth2. That's great! Now we just need to get the word out to all the "dark matter developers" out there (as Scott Hanselman calls them).

Things to be aware of


1) API keys in URLs are very easily accidentally exposed to third parties. If you take a copy of the URL and mail it to somebody you will end up sending your private key to someone else. For the same reason API keys may end up in log files here and there. Not good!

2) API keys in URLs changes your resource URL such that it depends on who is using it. Instead of everybody referring to /some-items/1234 it will be /some-items/1234?key=abc for one user and /some-items/1234?key=qwe for another - and these two are completely different URLs even though they "only" differ on the query parameters. It is semantically the same as encoding the key in the path segment as for instance /api/abc/some-items/1234 and /api/qwe/some-items/1234 which I don't expect any one to think of as a good idea - right?

3) API keys in headers are better than API keys in URLs since it will keep the URL stable for all users and it doesn't expose API keys when sending links to others. The problem though is that you are still sending your secret credentials (the API key) over the wire and it may be wiretapped by third parties. Another problem is that a client may accidentally connect to the wrong server (by misconfiguration or otherwise) and expose its credentials there.

4) Signed requests (done right!) should be preferred over sending the API key directly. The signature should not be part of the URL for the reasons stated above - and the same goes somehow for sending the signature in the body since different users will see different bodies which is not necessary when you have a standard HTTP header for the purpose.

5) Proprietary methods for signing requests are prone to design errors as it is easy to get the signature mechanism wrong - and thus accidentally making the signature technique easy to circumvent.

6) Proprietary methods for signing requests requires client developer to understand yet another signature mechanism. It also makes it less likely to find existing client libraries to handle the crypto stuff. Both of these issues makes client adoption of your API less likely. And you know what, dear server developer? Your client developers will call for support and it will end up on YOUR table, reducing your ability to focus on coding the next great thing! So stick to well documented standards - it will be less annoying for everybody including yourself.

7) HTTP basic authentication is great for debugging and getting started scenarios but should not be used in production. The problem is that client credentials are send in clear text and are thus susceptible to accidental exposure as mentioned before. Your API should support basic authentication as it will make it possible to explore the API using a standard web browser - but it should be disabled in production.

8) It should be possible to revoke API keys in case they are compromised in some way.

What kind of technique would solve all of these issues? Well, Oauth2 is one standard solution; it uses the HTTP "Authorization" header (thus avoiding authentication stuff in URL and body), it is a standard and used correctly it protects clients from exposing their API keys to the server and over the wire.

Another solution is to use SSL/TLS with client certificates. With the proper HTTP client libraries this can be as easy as loading a certificate (one line of code) and assigning it to the HTTP request object (second line of code). This can although not authorize a combination of both client credentials and end user credentials.

OAuth2


OAuth2 roles and terms


Before jumping into OAuth2 I better explain some of the terms used when talking about OAuth2 (mostly copied from the RFC at http://tools.ietf.org/html/rfc6749#section-1.1):

- Protected resources: the data you want to protect.

- Resource owner: An entity capable of granting access to a protected resource. The "entity" is often a person - the end user.

- Resource server: The server hosting the protected resources.

- Client: An application making protected resource requests on behalf of the resource owner. This can for instance be a mobile application, a website or a background integration process impersonating an existing end user.

- Client credentials: a pair of client ID and client secret. This could be your developer or application ID and API key.

- Resource owner password credentials: the typical user-name/password combination issued to an end user.

OAuth2 flows


OAuth2 has four different modes of operating (called flows) - going from the relatively complex 3-legged authorization flow to the very simple "client credentials" authorization flow. At least one of the flows should fit into just about any public API ecosystem out there - and if not then it is possible to add new extension flows (as for instance Google does with the JWS implementation).

At its core OAuth2 has only two high level steps:

  1) Swap a set of user and/or client credentials for an access token (authorization step), and

  2) Use the access token to access the API resources.

That's it. It can be very simple. The difficult part of OAuth2 is the many ways a client can obtain an access token.

Here I will focus on a scenario with a trusted client that accepts user credentials and acts on behalf of them. This can be very useful for many internal integration patterns where no humans are involved. I won't cover the scenario where an untrusted client (third party website) needs to access the end user's resources using the 3-legged authorization flow.

Acces tokens and bearer tokens


At a suitable high level OAuth2 only has two steps as mentioned before: 1) authorization, 2) resource access. The output of a successful authorization step is always an access token which must be used in subsequent requests to the resource server (the API).

In most cases the access token is a so called "bearer token" - a token which the bearer can present to gain access to resources. Such a token has no built-in semantics and should be considered as nothing but a plain text string.

The bearer token is included in the HTTP Authorization header like this:

     GET /resource HTTP/1.1
     Host: server.example.com
     Authorization: Bearer SOME-TOKEN


Authorizing with client credentials only


This is just about the simplest flow possible (see http://tools.ietf.org/html/rfc6749#section-4.4): all the client has to do is to send it's client credentials (ID and secret) as if it was using HTTP basic authorization. In return the client receives an access token it can use in subsequent requests for the protected resources. Here is an example from the RFC:

     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=client_credentials


The response could be:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"bearer"
     }


This flow allows the client to act on behalf of itself but it does not include any end user information.


Authorizing with both client credentials (API key) and user credentials (password)


If a client needs to act on behalf of the end user (the resource owner) then it can use the "Resource Owner Password Credentials Grant". This flow is almost as simple is the previous flow - all the client has to do is to add the client credentials to the authorization request. Here is an example from the RFC:

     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=password&username=johndoe&password=A3ddj3w


The response could be:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"bearer"
     }


This flow allows the client to act on behalf of the end user. The client application must be trusted as the end user will have to pass his/her credentials to it.


Protecting credentials in transit


There is one big problem with the two simple flows mentioned above; both of them pass the client and end user credentials in clear text. For this reason OAuth2 makes it mandatory to use TLS/SSL to encrypt all of the requests. Neither does these flows cover scenarios with untrusted clients (such as a third party website that wants to access an end users resources on a different server) - but that scenario is covered in the "Authorization Code Grant" scenario which I will not discuss here.

The use of TLS/SSL protects the credentials from eavesdropping and man-in-the-middle attacks but it does not protect against sending credentials to the wrong server - either by misconfiguration or because the server has been compromised.

This lack of protection is perhaps one of the biggest difference between OAuth1 and OAuth2; OAuth1 protects credentials by signing requests instead of sending the raw credentials. This requires a rather complex signing algorithm which has caused many headaches over the time. OAuth2 trades the protection of credentials for simplicity which makes it a lot easier to use - but susceptible to leaking credentials to rogue servers.

It is possible to protect credentials from this problem though but it requires clients to use some complex crypto stuff to sign requests instead of sending the raw credentials (just like OAuth1 does). This is what Google does when it requires requests to be signed using JSON Web Signatures (JWS).

If you are using .NET then my Ramone HTTP library has support for OAuth2 with JWS as can be seen in this example: http://soabits.blogspot.com/2013/03/using-ramone-for-oauth2-authorization.html.


Protecting credentials in clients


One more word of caution - websites, mobile apps, desktop apps and similar with public clients cannot protect their client credentials. Other application may be able to do it (server to server integrations for instance) but public clients, be it JavaScript, byte code or assembler, can always be downloaded, decompiled and scrutinized by various forensic tools and in the end it will be impossible to keep client secrets from being stolen. This is a fact we have to live with.

Client credentials can be useful for statistics. They also give the ability to revoke credentials in order to block rogue applications - but they cannot be trusted in general.

Further reading

Eran Hammer has a discussion about the drawbacks of OAuth2 at http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ and here is another discussion of the drawbacks of bearer tokens http://hueniverse.com/2010/09/29/oauth-bearer-tokens-are-a-terrible-idea/