The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
6. Challenges in Securing Microservices
â Broader attack surface due to a large number of entry points
â Security screening should be enforced at each endpoint level
â Performance
â Sharing user context
â Observability
â Audit and application logging
â Health check
â Matrices
â Deployment complexities
â Provisioning keys
7. Should we add a
complex security
stack over
microservices
themselves?
?
A
U
T
H
A
U
T
H
A
U
T
H
A
U
T
H
8. Should we add a
complex security
stack over
microservices
themselves?
No
A microservice:
- performs one and only
one business function
- Do that one thing best !
10. â Handling Security is
delegated to API Gateway.
â Microservices can focus
only about its business
logic.
â Solves the multiple entry
point problem.
API Gateway
11. â Responsible for three main
functionalities in security
PoV.
â Authentication and
Authorization
â Protection against
Malicious content
â Abnormal pattern
detection
API Gateway
13. â APIs are mostly exposed
for external users.
â Three parties are involved
â API Creator
â Application Creator
â End User
â Access Delegation is
important.
14. â OAuth 2.0 is the defacto standard for API security
â Solves the requirement of Access Delegation when three parties are
involved.
â Multiple grant types to support various use cases
â password, client-credentials, authorization-code, ..
â Two types of tokens
â Self contained access tokens (JWTs)
â Reference Tokens (Opaque tokens)
OAuth 2.0
15. â Self contained access tokens (JWTs)
â A JSON payload with header and signature sections
â Signed using a shared secret or public/private key pair
â Contains all the information required for validation
â A better approach for microservice world
Self Contained Access Tokens (JWTs)
18. âą Password Grant
â Simple to implement
â Less secure
â Can be used when Client
and Authz Server belongs
to the same entity.
OAuth 2.0 - Grant Types
19. âą Authorization Code
â Authenticates the user at the Authorization Server.
â User doesnât pass the credentials to the Client Application
â The Client Application can ensure that the access token will be not be
exposed to any 3rd party (even the User Agent)
â Suitable for traditional web applications
OAuth 2.0 - Grant Types
20. Application (OAuth
Client)
OAuth Authorization
Server
2 3
4
1
5
6
7
8
OAuth
Resource
Server
Introspect
Authenticate + Consent
Authz Code
302
Access
Token Rq (clientId +
clientSecret + code)
Access Token
Access TokenAccess Token
Resource
Request
Prerequisite
Client application registered
with the Authz Server
manually or via Dynamic
Client Registration
Resource
Owner
Authorize Request
(clientId)
21. âą Single Page Apps (SPAs) and Mobile Apps are becoming increasingly
popular.
âą Provide users with a rich and responsive user interface.
âą The common security mechanism in use:
â Authorization Code with a public, untrusted client
âą Client authentication is not performed.
âą PKCE (Proof Key for Code Exchange)
Securing Single Page Apps and Mobile Apps
22. âą OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack.
Authorization Code with PKCE
24. âą Client Credentials
âą Implicit
âą JWT Bearer Grant
âą SAML Bearer Grant
OAuth 2.0 - Grant Types Contd..
25. OAuth 2.0 - Scopes
â Enable ïŹne-grained access control to API resources
â Limit the amount of access granted for an access token
â i.e: The scopes speciïŹes what the Client Application can do
on behalf of the end user.
28. Other Authentication Mechanisms ..
âą API Key
â A secret token that only the API client and the server knows
âą Basic Authentication
â Standard http Authorization header with base64 encoded username
and password value
Authorization: Basic base64-encoded(username:password)
29. Other Authentication Mechanisms ..
â Mutual TLS (Transport
Level Security)
â Service to service
authentication in trusted
channel
30. Open Policy Agent (OPA)
â A lightweight general-purpose policy engine that can be
co-located with the service
â Can integrate OPA as a library, sidecar, or a host-level daemon
31. Propagating Trust And User Identity
â API backends might require authenticated user context for
internal authentication and business functionalities
â The user context has to be passed from API gateway to
backend, after the authentication process
â JWT tokens can be used to propagate
â Oneâs identity
â User entitlements, between interested parties
38. Webinars to Follow
â November 19 - Cloud Native APIs: The API Operator for Kubernetes
â November 21 - Mine Your APIs for Gold: API Monetization
â December 03 - Beautifying the Beautiful: Theming WSO2 API Manager
â December 05 - Building a CI/CD Pipeline for APIs