Along with the ease of API integrations come the difficulties of ensuring proper authentication (AuthN) and authorization (AuthZ). In a multitenant environment, security controls based on proper AuthN and AuthZ can help ensure that API access is limited to those who need (and are entitled to) it. Appropriate AuthN schemes enable producers (APIs or services) to properly identify consumers (clients or calling programs), and to evaluate their access level (AuthZ). In other words, may a consumer invoke a particular method (business logic) based on the credentials presented?
The most common methods for authentication and authorization include:
- Static strings: These are like passwords that are provided by API's to consumers.
- Dynamic tokens: These are time based tokens obtained by caller from an authentication service.
- User-delegated tokens: These are tokens such as OAuth which are granted based on user authentication.
- Policy & ALFA or XACML.
The above methods provide different level of security and ease of integration. Oftentimes, the easiest method of integration also offers weakest security model.
In static strings method, the API caller or client embeds a string as a token in the request. This method is often referred as basic authentication. "From a security point of view, basic authentication is not very satisfactory. It means sending the user's password over the network in clear text for every single page accessed (unless a secure lower-level protocol, like
This type of token is used in three-legged systems where an application needs to access an API on behalf of a user. Instead of revealing user id and password to the application, a user grants a token which encapsulates users permission for the application to invoke the API.
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an
Fine-Grained Authorization for APIs
Attribute-Based Access Control
In this approach, there is a Policy Enforcement Point either within the API itself, in the API framework (as an interceptor or message handler), or as an API gateway (e.g. WSO2, Kong, or similar) that intercepts the call to the API and / or the response back from the API. It converts it into an authorization request (typically in XACML) which it sends to a Policy Decision Point (PDP). The Policy Decision Point is configured with policies that implement dynamic access control that can use any number of user, resource, action, and context attributes to define which access is allowed or denied. Policies can be about:
- the resource (e.g. a bank account)
- the user (e.g. a customer)
- the context (e.g. time of day)
- a relationship (e.g. the customer to whom the account belongs).
Policies are expressed in ALFA or XACML.
- "API Attacks" (PDF).
- "OAuth 2.0 — OAuth". oauth.net. Retrieved 2015-10-10.
- "A Guide to Web Authentication Alternatives: Part 2". unixpapa.com. Retrieved 2015-10-10.
- John, Bradley; Nat, Sakimura; Michael, Jones. "JSON Web Token (JWT)". tools.ietf.org. Retrieved 2015-10-10.
- Hardt, Dick. "The OAuth 2.0 Authorization Framework". tools.ietf.org. Retrieved 2015-10-11.