Organizations can enable end-to-end API security with OAuth, OpenID Connect and ABAC
by Gerry Gebel for CSO Online
Modern technology is constantly making our lives easier. Our phones and the applications we use make it more convenient to work, play and listen. If you need door-to-door ground transportation, you can access a ridesharing app to immediately call for a ride. If you’re deciding what to wear to work, you can quickly pull up a weather app, so you don’t end up overdressed or underdressed. The examples of modern technologies simplifying our lives are endless.
The convenience of modern technology is changing the way humans live, work and play. It’s also introduced a new level of convenience and ease. A top of mind issue getting more attention these days is the fact that these apps often contain sensitive personal information. For example, many contain financial information that you don’t want compromised or shared inappropriately.
In addition, these apps often connect to other apps or websites and share your personal information or data about you. If you utilize one app, you may be unknowingly enabling access to other connected apps or services. In fact, according to this story, 70 percent of smartphone apps share your data with third-party services. And in some cases, it’s not entirely clear what data is being collected and shared. What we do see, however, is that app developers also prioritize convenience by using third-party code libraries. When is too much convenience a bad thing?
What is OAuth 2.0 and how does it work?
OAuth 2.0 is a standard for token-based delegated access that can be implemented by any developer. It enables an end user’s account information to be used by a third-party service without exposing the user’s login credentials. OAuth 2.0, released in October 2012, was a vast improvement over OAuth 1.0 by incorporating field experiences and additional use case requirements. Other standards, like OpenID Connect (OIDC) are profiles built on top of OAuth 2.0.
OAuth 2.0 and OIDC provide the building blocks to define and utilize tokens that exchange information like scopes and user information across security domains. As described above, the ability to access multiple web sites using a single login credential is a powerful and convenient capability. However, OAuth 2.0 and OIDC do not define how authorization decisions are to be made.
Why is OAuth so important today?
Since its publication, OAuth 2.0 and profiles such as OIDC have seen widespread adoption for delegated access control use cases. Developers have a well-defined set of tools to incorporate OAuth 2.0 and/or OIDC into their applications. Users only have to apply a single set of login credentials to access multiple websites.
In many implementations, OAuth 2.0 is also utilized to provide microservices and APIs with enhanced security measures. Protecting an API architecture often requires an API gateway to provide internal security capabilities or integrate with an external Identity Provider that handles authentication, delegated access and other requirements. OAuth 2.0 can then compliment the API gateway by providing an access control mechanism to validate identities, manage/validate tokens and support other scenarios.