DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Securing RESTful Endpoints
  • Exploring API Headers
  • Why APIs Will Be This Year’s Most Targeted Service
  • What Is API-First?

Trending

  • Deploy a Session Recording Solution Using Ansible and Audit Your Bastion Host
  • Podman Desktop Review
  • Exploring Sorting Algorithms: A Comprehensive Guide
  • How To Deploy Helidon Application to Kubernetes With Kubernetes Maven Plugin
  1. DZone
  2. Data Engineering
  3. Databases
  4. Authorization for APIs with XACML and OAuth 2.0

Authorization for APIs with XACML and OAuth 2.0

Asela Pathberiya user avatar by
Asela Pathberiya
·
Oct. 27, 14 · Interview
Like (2)
Save
Tweet
Share
11.87K Views

Join the DZone community and get the full member experience.

Join For Free

In this blog post, let see how we can implement XACML to authorize the APIs. I wish you are familiar with OAuth 2.0 and lets directly go through the diagram

xacml-oauth1

  • OAuth access token is granted to the application from OAuth Authorization Server. Application can use the Access Token to access the API resources in the gateway.
  • When request is received with Access Token, API Gateway can validate OAuth access token by calling to the OAuth Authorization server.
  • If Access Token is verification successful, API Gateway can forward request to desired bank end Web service.

So, if we want to provide fine-grained authorization for API, The best way is to use XACML based Authorization approach.

Where authorization must happened

According to the diagram above, you can see that XACML authorization can be done in two places.

1. Within OAuth Authorization Server. After OAuth Authorization server verifies the OAuth access token, It can creates XACML request.

XACML request could contain following

  • End user name
  • Application name or Id
  • API that is going to access
  • HTTP verb
  • Token scope

Most of use case, API Gateway wants to know whether this access token (end user) or application can access the given API or not. Therefore XACML request can be created with;

  • Dnd user name (or application id/key) as the XACML subject
  • API name and version as XACML resource
  • HTTP verb as XACML action

XACML request is sen tto the PDP for authorization decision
2. Within API Gateway. After validation decision is received to the gateway, It can further validate for the authorization before request is forwarded to back end service.

XACML request can contain the relevant things that are mentioned above. It can be generated at API gateway and can  be sent to the PDP for authorization decision.

I think, The best place to do the authorization (to keep the PEP) is within the OAuth Authorization Server not within the API gateway.

  • In proper development, API gateway is in DMZ. OAuth Authorization server and PDP would be in the LAN as Enterprise user store must be exposed to them. Therefore, It is only required one service call from API gateway to LAN. If XACML PEP was within the API Gateway there can be two requests to LAN.
  •  Mostly OAuth Authorization server and PDP can be embedded in to on server. This would create good performance gain as it could avoid the service call for PEP-PDP. But API gateway and PDP can not be embedded, because API gateway is normally in DMZ and Enterprise user store can not be exposed to it. Also, API gateway it fully optimized to do the message mediation and message processing. Therefore, it may be hard to balance resource utilization properly once PDP is within same server.

API Authorization with WSO2 Identity Server and API Manager

Identity Server can acts an OAuth Authorization Server. Also It is a well know XACML PDP.

API Manager is fully API solution with consists of API Gateway, publisher, store and key manager. More details about architecture can be found at here. In API manager, Key manager acts as an OAuth Authorization server and Identity Server can be replaced with it as well.

Identity Server and API Manager provide extensible architecture where you can plug extension point. Therefore we can extend to support for XACML based Authorization. Let see how we can do it.

We assume that XACML engine has been embedded in to the OAuth Authorization server. You can use Key Manager as the Identity Server or you can install XACML features in API manager, Please find more details from here.

1. Lets extend the default scope handler of OAuth2 component and implement the new scope handler that supports to call XACML PDP. Please find the project from here. You can go through project and modify it as you wish.

2. Deploy the custom scope handler by copying org.xacmlinfo.xacml.oauth.scope-1.0.0.jar OSGI bundle file in to <HOME>/repository/components/dropins directory

3. Register custom scope handler by updating following element under <OAuth> element in identity.xml file which can be found at <HOME>/repository/conf

<OAuthScopeValidator class="org.xacmlinfo.xacml.oauth.scope.XACMLScopeValidator"/>

If you need implement the scope handler to call remote XACML PDP, you need to modify the scope handler with an entitlement client that calls the Entitlement Service. You can find more details about Entitlement Service from here.

Lets build some XACML sample with OAuth in next blog post…!

XACML authentication security API

Published at DZone with permission of Asela Pathberiya, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Securing RESTful Endpoints
  • Exploring API Headers
  • Why APIs Will Be This Year’s Most Targeted Service
  • What Is API-First?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: