Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Curity

Transcript

1. Securing Microservice-based APIs Michał Trojanowski Product Marketing Engineer @ Curity

   @[email protected]

2. How APIs Grow

3. API Gateway Breadth-grown API Depth-grown APIs

4. API Security Maturity API Keys and Basic Authentication Token-Based Authentication

   Token-Based Authorization API-Key: abcdef

5. Common Security Problem

6. Breadth-grown APIs Client Undocumented endpoints API Gateway

7. Depth-grown APIs Client API Gateway external service !

8. What are the Options?

9. Change the Optics Access Token What is the caller authorized

   to do? Who is calling?

10. Breadth-grown APIs scope: read Require scope “write” Client Undocumented endpoints

    API Gateway scope: read

11. Read past transactions Read future transactions Create transactions Modify transactions

    Update transactions

12. Read and manage transactions

13. Claims-based Authorization API Gateway sub: [email protected] client_id: mobile-app sub: [email protected]

    client_id: background-app

14. Token Sharing — Exchanging Tokens

15. Token Sharing — Embedding Tokens

16. - Identity Chaining across Trust Domains (https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-i dentity-chaining/) - Multi-token

    Container Data Structure (https://datatracker.ietf.org/doc/draft-richer-wimse-token-cont ainer/) Proposed Standards

17. Entitlement Management Systems

18. Key Takeaways • Merely implementing OAuth and using access tokens

    might not be a sufficient security measure for large APIs. • Remember that access tokens are not related to user sessions. • Limit the capabilities of a token: • use claims-based authorization • implement proper token sharing techniques

19. Thank You! curity.io developer.curity.io @curityio [email protected] Come meet us at

    our booth in Partner Village!