This document discusses best practices for building an API security ecosystem, including using a gateway pattern to decouple clients from APIs, various methods for direct authentication of internal users like HTTP basic authentication and OAuth, auditing and monitoring APIs, and externalizing authorization using standards like XACML. It also covers cross-domain access, distributed authorization with resource servers, and user-managed access models.
3. Gateway Pattern - Benefits
• Decouple
clients
from
the
actual
API
implementation
• No
point-‐to-‐point
to
connection
• Centralized
security
enforcing
• Centralized
auditing
&
monitoring
• Version
controlling
8. TLS Mutual Authentication
§ Gateway
itself
does
the
certificate
validation
§ Fine-‐grained
access
validations
can
be
done
by
the
authorization
server.
curl -k --cert client.pem https://localhost:8443/recipe
18. OAuth & XACML
§ A given access token has a scope associated with it and it
governs the access token’s capabilities
§ A user delegates access to his Facebook profile to a third party,
under the scope “user_activities”. This provides access to the
user's list of activities as the activities’ connection. To achieve
fine-grained access control, this can be represented in an XACML
policy.
§ token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
24. User Managed Access
• PAT
(Protection
API
Token)
:
Token
issued
to
the
Resource
Server
to
access
the
Protection
API
(Authorization
Server)
with
the
approval
of
the
Resource
Owner.
• AAT
(Authorization
API
Token)
:
Token
issued
to
the
Client
to
access
the
Authorization
API
(Authorization
Server)..
• RPT
(Requesting
Party
Token)
:
Token
issued
to
the
Client
to
access
the
Protected
Resource
on
behalf
of
the
Requesting
Party
by
the
Authorization
Server.