{{announcement.body}}
{{announcement.title}}

Securing APIs With WSO2 Microgateway

DZone 's Guide to

Securing APIs With WSO2 Microgateway

In this article, we discuss how to better manage your API security with WS02 Microgateway as a potential solution.

· Security Zone ·
Free Resource

Introduction

APIs handle practically every function in modern organizations. From booking a movie ticket to processing complex bank transactions, APIs play an important role. Organizations expose their services via APIs to the public and also internally in order to expand their business opportunities and increase revenue. 

As a result, APIs are being used by multiple parties and people, both internally and externally. It is very important that only authorized users can use specific APIs so that there is no misuse of APIs that consume valuable data and services of an organization.

API Security

There are two main categories of API security:  

  1. Transport Level Security.

  2. Application Level Security.

Transport Level Security

Transport Level Security (TLS) ensures the privacy and the integrity of communication between two parties. This mechanism uses certificates to encrypt the data that is transferred between parties where only the ones who have the certificate of the other party can read the information.

In the modern API driven ecosystem, proper TLS is  mandatory

Application Level Security

Application security is vital for any API to prevent unauthorized access to backend services and data. 

There are multiple mechanisms that can be used for application-level security. These include:

  1. API Key Authentication

  2. Basic Authentication

  3. OAuth2

  4. JSON Web Token (JWT) Authentication

Basic Authentication

Basic authentication is a simple authentication mechanism where the user sends his/ her credentials in the Authentication header in base64 encoded format. This is the most basic mode of authentication of an API. 

API Key

API Key authentication is a simple mechanism of identifying the user who is invoking the API. This is different from OAuth2 and does not need an authorization server. The API Key can be sent as a query parameter, in a header or any other way that the server permits. This method is best suited for API testing, API developers or internal use in an organization.

OAuth2

OAuth2 is the industry-standard protocol for authorization which is based on access tokens. In order to invoke an API, the user must obtain an access token providing the credentials to an Authorization Server. The credentials can be the user name and password of the user or credentials from an application depending on the grant type. The Authorization server will provide a token which has a limited lifespan after validating the user. The user then can invoke the API with this token.

The token could be in JWT type or opaque and it depends on the Authorization Server implementation.

API Security With WSO2 Microgateway

WSO2 Microgateway is a lightweight, super-fast, cloud-native, developer-focused, and 100% open-source product which enables you to expose microservices as managed APIs. It also provides an easy to use, strong security layer for APIs which helps the user to easily configure and enforce proper authentication/ authorization mechanisms to secure their APIs.

WSO2 Microgateway provides several features in securing APIs:

  • API Key Issuer and API Key Authentication

  • JWT Authentication and Support for Multiple JWT Issuers

  • Mutual SSL Authentication for APIs

  • Support Multiple Security Schemes for APIs

  • Support Combining Authentication schemes

  • Internal/ External key manager support

API Key Issuer and Authentication

WSO2 Microgateway opted with a Security Token Service (STS) that could generate API Keys that can be used to invoke the APIs exposed via Microgateway. The generated API Key will be a self-contained JSON Web Token (JWT) which contains information about the user, subject, issuer, etc. 

Also, Microgateway can be configured to generate an API Key that allows for specific API access. This could be helpful when using multiple MGW instances and restricting API Keys to be used for APIs published in each MGW instance.  There are other configurations, such as validity period, certificate, etc. You can find the other configuration parameters here.

In order to configure the APIs to use API Key Authentication, the security schemes should be defined in the API definition. WSO2 Microgateway accepts an API Key as a header parameter or query parameter, and you can configure the parameter name as well. It is also possible to use different an API Key header for different resources in the same API.

JWT Token Authentication

JWT token validation is built into the gateway itself in WSO2 Microgateway. This enables the gateway to validate JWT tokens issued by a trusted Authorization server. Also, if the token is a self-contained token, WSO2 Microgateway is also capable of performing the subscription validation and scope validation.

Support for Multiple JWT Issuers

WSO2 Microgateway supports the ability to configure multiple trusted JWT token issuers. This feature helps in scenarios where organizations have multiple trusted Auth providers (key managers). During the token validation, the JWT token will be sequentially validated with each issuer

Mutual SSL Authentication for APIs

In WSO2 Microgateway, APIs can be secured with Mutual SSL where API clients can use their certificate to invoke the particular API. When the API is secured with Mutual SSL, the client is not required to provide the credentials or tokens to invoke the API.

Support Multiple Security Schemes for APIs and Resources

WSO2 Microgateway supports the following security schemes for securing APIs:

  • API Key

  • JWT token authentication

  • OAuth2 

  • Basic Authentication

  • Mutual SSL Authentication

It is possible to enforce different security schemes for each resource or globally as an API level in WSO2 Microgateway.

Support for Combined Authentication Schemes

With WSO2 Microgateway, you can now combine Transport Layer Security (Mutual SSL) and Application Level Security and enforce the API. With this, APIs can be invoked using either Mutual SSL or Application Security mechanism specified (Oauth2, API Key, etc.).

Internal/ External key manager support

WSO2 Microgateway supports the WSO2 API Manager as Key Manager or 3rd Party Key manager. It also has the capability to validate the subscriptions when the WSO2 API Manager is used as the key manager.

Internal Key Manager

WSO2 API Manager can be configured as an internal key manager with Microgateway. In this configuration, Microgateway invokes the APIKeyValidation service of API Manager. This enables Microgateway to use opaque tokens with the subscription validation.

External Key Manager

A third-party key manager can be configured as an external key manager. In this configuration, Microgateway uses the third-party key manager’s token introspection endpoint to validate the access token. 

Conclusion

This article focuses on the security aspects of APIs, which is a crucial part of any API management solution. There are several methods to secure APIs as discussed in this article. WSO2 Microgateway, as a solution for exposing microservices as managed APIs, supports a vast array of security features which can be easily configured to suit the API Security requirements of the organization.

Download the latest version of WSO2 Microgateway and Microgateway tool kit and try it out for yourself.

Topics:
api ,microgateway ,securing apis ,security ,ws02 ,wso2

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}