API Security
As organizations are moving toward enterprise mobility and making available their backend services in the form of REST APIs to be consumed over HTTP/HTTPS by multiple clients, it is becoming very important to make the communication secure between client and the server. Exposed REST APIs need to be protected against threats and hacks.
With App42 API Gateway you can apply authentication policies on the APIs to give you a control so that only authenticated users can access the APIs. You can also authorize users on a number of APIs, allow one IAM user to access certain APIs and other IAM users to access another APIs.
Note: IAM user is the one who is an authenticated user. If authentication policy is applied on an API, it can only be accessed by IAM user who has been given the permission to do so.
Note: If no authentication policy is applied on an API, it would be publicly available and can be accessed by anyone.
Note: Applying authentication policy also enables you to monitor the API requests coming from any specific partner or IAM.
TIP: To make your APIs secure, you must ensure that you have applied authentication policy on them.
App42 API Gateway comes with two types of Authentication Policies as mentioned below:
Key Based Authentication Policy:
Key Based Authentication Policy uses API/IAM Key and Secret Key to authenticate the request received. API/IAM Key is passed in the request from the client while making the call. This API/IAM Key will be used to identify the caller on Gateway. Also, Secret Key will be used to sign and validate the request (if signature validation is enabled in policy). It also has an option to validate the timeStamp passed in the request to protect the API from replay attacks. You have to enable Timestamp Validation option for the same and pass the timeStamp (in UTC format) in the request header while making the API call.
Steps to create Key Based Authentication Policy:
- 1.Go to Policies -> Authentication -> Click on Create
- 2.Provide policy name and select Auth Type as Key
- 3.Select Signature Validation along with Timestamp Validation if you want to enable signature validation with key based authentication policy
Note: You can select Timestamp Validation individually also to validate timeStamp without signature.
To use signature validation you need to generate signature by taking input of 5 parameters (name, version, apiKey, timeStamp and body).
For more info on how to generate signature refer this link.
- 4.Click on Create and your policy will get created
- 5.You can edit your policy as well as delete it
Note: If Policy is attached to any API or IAM then it will not get deleted.
OAuth 2.0 Authentication
OAuth 2.0 Authentication Policy support in App42 API Gateway lets you authenticate your users’ by either Authorization Code or by Client ID as a Grant Type for your API.
If Grant Type is set as Client ID, the client has to pass IAM Key as Client ID and IAM Secret Key as Secret Key to get the access token. This can be done through any OAuth client library or you can also make a direct REST call (POST) to URL (REST_API_URL/token) to get the access token.
Note: For more info on how to get access token for Grant Type as client ID, refer section OAuth – Grant Type Client Credentials
For Authorization Code Grant Type, client has to first get the authorization code (REST_API_URL/authorize) and then using this code, access token can be obtained.
Once access token has been obtained, it needs to be sent with your API call to App42 API Gateway for authentication. Gateway will do all the validation and authentication on it and allow the API call if it is a valid access token.
Note: For more info on how to get access token for Grant Type as authorization code, refer section OAuth – Grant Type Authorization Code
App42 API Gateway supports OAuth 2.0 type for authentication. One can use Authorization Code or Client Credential as a Grant Type for your API.
Steps to create Authentication Policy with Auth Type as OAuth 2.0:
- 1.Go to Policies -> Authentication -> Click on Create
- 2. Provide policy name
- 3. Select Auth Type as OAuth 2.0
- 4. Select Grant Type as Client ID or Authorization
- 5. Provide Access Token Expiry limit(in ms)
- 6. Click on Create
- 6.Your policy will get created with Auth Type as OAuth
- 7.You can edit your policy as well as delete it
Note: If OAuth Policy is attached to any API or IAM then it will not get deleted.
OAuth – Grant Type Client Credentials
If Grant Type is set as Client Credentials, you have to pass IAM API key/Secret key as client ID and Secret Key to get the access token. This can be done through any OAuth client library or you can also make a direct REST call (POST) to URL (REST_API_URL/token) to get the access token. Below is the Java snippet of OAuth client to fetch access token:
String clientId = "xxxxxx"; //Pass APIKey of IAM here
String clientSecret = "xxxxxx"; // Pass Secret Key of IAM here
String tokenEndPoint = "ProxyEndpointURL/token";
OAuthClientRequest request = OAuthClientRequest.tokenLocation(tokenEndPoint).setClientId(clientId)
.setClientSecret(clientSecret).setGrantType(GrantType.CLIENT_CREDENTIALS)
.buildQueryMessage();
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthJSONAccessTokenResponse response = oAuthClient.accessToken(request);
System.out.println(response.getBody());
Once you have the access token, you can pass it in your API call to App42 API Gateway for authentication. API Gateway will do all the validation and authentication on it and allow the API call if it is valid access token.