APIs have become the backbone of many services – from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services.
To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective.
This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.
What you’ll learn:
- A true comparison of authorization approaches for services
- The limitations when only using tokens and scopes
- The ten commandments of authorization
- How to get started with ABAC for your APIs and microservices