API/HTTP

Question 1

What is a URL?

Answer 1

subset of URI that includes explicit reference of how to access resource i.e (ftp vs http protocol).

Question 2

What is a URI?

Answer 2

Way of identifying a resource

Question 3

What is a URN?

Answer 3

Everything after the //
Consists of host with dedicated IP,then resource path and finally optional url query to transfer other info.

Question 4

What are the useful HTTP methods?

Answer 4

GET- request resource from server
POST - submit resource to a server (like submitting a form)
PUT - Replace resource on server
PATCH - Update/modify resource on the server
DELETE - delete resource from server
OPTIONS - Get options for the resource
TRACE- traceback loop

Question 5

What are the HTTP response categories?

Answer 5

100: Info
200: success
300: Redirection
400: Client Error
500: Server Error

Question 6

What is REST vs SOAP?

Answer 6

Rest: Is an architecture that allows use of JSON or XML, lightweight for mobile applications.

SOAP: Relies on SOAP protocol and only can use XML for transfer, heavyweight for enterprise applications.

Question 7

What are the 6 constraints of REST?

Answer 7

Client-server architecture: Client manages UI, server manages data storage
Statelessness: No client information is stored on server between requests, client responsible for maintaining states
Cacheability: All REST responses must explicitly be marked as cacheable or not cacheable.
Layered System: Client shouldn’t know/care if connected to server or middleman like CDN.
Code on Demand: Servers can transfer executable and compiled code to clients.
Uniform Interface:
1. Resource identification in requests - URI request must specify where the resource is and what format the response should use.
2. Resource manipulation through representation - client can modify resource on the server once given a copy.
3. Self-descriptive messages: Data type must be specified from server and client.
4. Hypermedia as engine of application state: REST usage is described with every returned resource (via hyperlinks). Like choose your own adventure novel

Question 8

What is an API?

Answer 8

Application Programming Interface, allows different softwares to communicate with each other.

Question 9

What is the Bolt on strategy for developing APIs?

Answer 9

Add on API to existing system/code, makes easy to develop but bad decisions in existing infrastructure leak through to the API

Question 10

What is the Greenfield Strategy for developing APIs?

Answer 10

API or mobile first mindset for new systems
Leverages new tech and architectures for best results but is also the most difficult.

Question 11

What is the Facade strategy for API dev?

Answer 11

Mix of the previous strategies by replacing code piece by piece.
Ideal for legacy systems as the app is functional but leaves too many different mindsets in the system at the same time.

Question 12

What are the API Relationships?

Answer 12

Independent: Can exist on its own
Dependent: Can only exist if another resource already exists
Associative: Can be dependent or independent but needs additional information

Question 13

What is an API Key?

Answer 13

Method of authn/authz where the API provider issues a long string appended to the url or as a header in the request. It is simple to implement and language/framework agnostic.

Drawbacks :URLS aren’t secret, difficult to update/rotate if compromised.

Question 14

What is OAuth?

Answer 14

OAuth 2.0 is an authorization framework. Uses access token to establish what actions are permitted. OpenID Connect is a special instance of OAuth2.0.

Question 15

How does API versioning work?

Answer 15

Using the accept header: Establish the markup or notation, Establish the media type and Establish the version of the media type and resource.

Using the URL: API version is clear and explicit, nothing is lost with copy/paste.

Question 16

What is content negotiation?

Answer 16

Mechanism which allow multiple versino of a document to exists a single URL so the clinet-server can determine which version to use

Question 17

What are the OAuth main concepts?

Answer 17

Scopes: Permission scope
Access Token: Current authorization instance
Refresh Token: Next authorization instance
Grant Type/Flow: Mechanism for retrieving tokens. Includes Authorization Code Flow, Implicit or authorization code with PKCE, Client credential, Resource owned password.

Question 18

What is an Opaque Token?

Answer 18

Unique string acting as an authorization string, nothing to decode/decrypt.

Question 19

What is a JSON Web Token?

Answer 19

A JWT consists of authorization and profile data.

Question 20

How are JWT’s validated?

Answer 20

1. Retrieve keys document that represent the public key the token was signed with.
2. Decode the token header and compare the KID against the keys document to make sure they match. If they don’t either the key doc is out of date or the token is not for you.
3. Use Key and payload to generate a signature and compare it against the token, if they don’t match the token has been tampered with.
4. Then the payload of the token is decoded and the iss (issuer), aud (audience), cid(client id), and exp (expiration) are checked.

Question 21

What is the authorization Code Flow?

Answer 21

User gets Auth code and then the server uses the client id, and client secret to retrieve access and refresh tokens.

Can only be used when only a user is involved and app has backend component.

Question 22

What is PKCE?

Answer 22

RFC 7636 Proof Key for Code Exchange. For Mobile apps and Single page apps (public clients) that cannot store secrets. No client secret, instead use local code verifier and code challenge for authorization.

Question 23

What are the security considerations for Auth Code Flow and PKCE?

Answer 23

• Always use TLS/SSL
• Validate tokens
• Protect the Auth Code
• Don’t worry about the access code
• Protect your redirect_uri

Question 24

What are the security practices for the Implicit Flow?

Answer 24

• Always use TLS/SSL
• Validate tokens
• Protect your redirect_uri
• Don’t use GET

Question 25

When to use Implicit Flow?

Answer 25

App maintenance as it was deprecated in favour of Auth code + PKCE.

Question 26

When to use Resource Owner Password?

Answer 26

Too bridge legacy systems to OAuth/last resort.

Question 27

What is the Implicit Flow?

Answer 27

Client authorizes with authorization server since client and dev do not trust each other. Access token is exposed to the end user.

Question 28

What is the resource owner password flow?

Answer 28

User submits credentials directly to the app which then submits to the auth server.

Question 29

What is the Client Credential Flow?

Answer 29

Client app needs access to a private resource so it submits its id and secret to the auth server.

Question 30

When should the client credential flow be used?

Answer 30

Should be used when there is no user involved, for example backend/microservices only.

Question 31

What are the security practices for the client credential Flow?

Answer 31

• Always use TLS/SSL
• Validate tokens
• Log and Track usage

Question 32

What is the Device Grant Type?

Answer 32

Uses device ID + Verification URI (such as a QR) code to authorize credentials against auth server.

Question 33

When should the Device Grant Type be used?

Answer 33

• NOT for mobile devices or most IoT devices.
• Must meet 4 reqs:
  Device already connected to the internet
  device can make HTTPS requests
  device must be able to communicate URI to end user
  user has a device available to visit the URI

Question 34

What are the security considerations for the Device Grant Type?

Answer 34

• Always use TLS/SSL
• Validate tokens
• pass user code along user URL parameters
• use rate limiting on the auth server side
• Don’t trust devices