Over a million developers have joined DZone.

Securing APIs

· Cloud Zone

Learn about the benefits and drawbacks of microservices with best practices for your own architecture, brought to you in partnership with Iron.io.

One of the key questions which comes up in API Management is about which authentication scheme to use. Gunnar Peterson has written, in a different context, about the benefit to the security architect of providing a menu of authentication schemes to use. Some clients are limited by what authentication scheme they can handle, and by providing a "menu" of authentication schemes at the API Gateway level, this can be handled. Within a policy (expressed as a "circuit" in the Vordel Gateway) you can handle clients differently depending on how they authenticated.

So which API authentication schemes are on the "menu"? Of course there is HTTP Digest Auth and mutual SSL. But there are specific API authentication schemes similar to Amazon's Query API authentication. If you want to learn more about this API authentication option, then on the Vordel website there is a video example showing API authentication for iPhone apps and Facebook as clients.

If you push the video on to the 20 minute mark, and listen for a few minutes, you can learn about how the Vordel Gateway provides the API security, making use of HMAC digests with SHA1. If you're familiar with the Amazon Web Services Query authentication, you will recognize this:


So the options for API authentication balance flexibility (providing customers with a menu of authentication options) and security (policies which vary access depending on which scheme the client uses). A Gateway provides this balance, versus hardcoding the scheme into the API itself.

The Cloud Zone is brought to you in partnership with Iron.io.  Learn about best practices and common pitfalls for working with Iron.io. Avoid the dead ends, and take the enlightened path.

Topics:

Published at DZone with permission of Mark O'Neill , DZone MVB .

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}