API Management : Securing APIs thanks to an API Manager
Mechanisms for securing APIs
Why do we need to secure APIs?
How can we do it?
What are the different strategies?
API Oriented Architecture : User Context relocation
What existed before : user session
Identified by a session id, the session id is generally stored in a Cookie in java, the cookie is named
JSESSIONID by default
This identifies the user session (usage of the application) on the server side, and the current state
of the application.
The state includes the authentication related information, allowing to secure the application access
Recall : the monolith
In the monolith, every thing is protected on the server
x
API Oriented Architecture : User Context relocation(2)
Now with API Oriented Architecture:
The API has no state, so cannot contain any user information
The state of the application is managed on the client
We need a mediation service to ensure API Security
API Oriented Architecture : Security Strategies
There is mainly only one general strategy : token based
The concept is that the front-end application will use a token that will be the proof of its
SAML(Security Assertion Markup Language) Token : XML Assertion verified by an intermediate
server
OIDC (Open ID Connect) : JSON based token issued by an authorization server
Those token have to be appended to each request in order to legitimate it
OIDC
OIDC is a layer on top of OAuth 2 wich is a customizable way to transport authentication information in
token.
OIDC defines the usage of several flows, including several types of processes
Direct Access Grant : the user and password are sent to the Authorization Server, and it issues a token
Authorization Code Grant : the user and password are sent to the Authorization Server, and it issues a
authorization code, which will be exchanged with token
Client Credentials Grant : For back-to-back communication, client id and client secret are sent to the
Authorization Server and it returns a token
OIDC : About tokens
For direct access grant, 2 tokens are issued
Access Token: allows to legitimate one call, this is the one to append to every request
Refresh Token: allows to refresh an access token, this represents the "session" state (just
in terms of authentication/authorization)
OIDC : Direct Access Grant Flow
OIDC in practice with an Authorization Server
OIDC : integration with API Manager
Network Isolation
In order to isolate and to protect back-end API which can be weakly protected (thanks to API Gateway mediation),
this kind of architecture can be found
Exercise
Setup a realm in keycloak to secure your API on APIMan
Create a realm on Keycloak
Connect it to your ApacheDS instance (from the Advanced Databases Lectures)