Last week, I had the pleasure of discussing REST access control patterns with
Enterprise Architects and partnering technology folks. I also had the
opportunity to present on this topic and one of the questions that came up
afterwards was from a security architect who was unsure whether OAuth would
be a good fit for some existing APIs that they have because those APIs happen
to be consumed from two very different sources:
from the inside, by internal applications that do not act on behalf of a
particular subscriber but from the provider’s perspective from the outside,
by applications that act on behalf of individual subscribers
OAuth 2.0 provides 4 core grant types that address different situations. In
the case of the example described above, you could use the client creds grant
type for the first type of access. It should be possible to permit different
scopes to dif... (more)
Tokens are at the center of API access control in the Enterprise. Token
management, the process through which the lifecycle of these tokens is
governed emerges as an important aspect of Enterprise API Management.
OAuth access tokens, for example, can have a lot of session information
associated to them:
scope; client id; subscriber id; grant type; associated refresh token; an
SAML assertion or other token the oauth token was mapped from; how often
it’s been used, from where.
While some of this information is created during OAuth handshakes, some of it
continues to evolve througho... (more)
Imagine a fresh business relationship between ACME Corporation and Partner.
As a result of this relationship, ACME wants to grant Partner limited access
to one of its core internal applications. They do this, naturally, by
exposing a Web service.
Why Identity Federation?
Boris (an employee at Partner) sends a SOAP request to the ACME Web service
along with some password or proof-of-possession type credentials. Because
Boris's identity is managed outside of ACME, those credentials cannot be
authenticated using ACME's authentication infrastructure.
To circumvent this issue, one cou... (more)
The WS Secure Conversation specification describes a mechanism letting
multiple parties establish a context (using the WS Trust Request Security
Token standard) and secure subsequent SOAP exchanges. Each WS Secure
Conversation session has an associated shared secret. Instead of using this
shared secret directly to sign and encrypt the conversation's messages,
symmetric keys are derived from the secret itself. Deriving new keys for each
message and different keys for signature and encryption limits the amount of
data that an attacker can analyze in attempting to compromise the con... (more)
As the enterprise is increasingly taking notice of WOA (Web Oriented
Architecture) these days, the need for security guidelines and standards for
RESTful Web services is becoming more pressing. Sure, RESTful Web services
are meant to borrow existing security mechanisms from the web and HTTP Basic
over SSL, when done right, is a great way to accomplish shared-secret based
authentication. Yet, for better or for worse, it is common to find REST API
providers defining their own authentication mechanisms.
Take for example the Amazon S3 REST API’s custom HTTP authentication
scheme. Us... (more)
As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth.
Follow Francois on Twitter: @flascelles
Sue Poremba
Scott Sellers
Anthony Franco
Daniel Morris
Wayne Walls
Niki Acosta
Jereme Hancock
Oren Michels
Marvin Wheeler
Douglas Kim
