OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.”, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
How miniOrange API Gateway protects your API’s with OAuth Authorization
- Client Application send request for OAuth token / access token to miniOrange API gateway using credentials of OAuth provider.
- miniOrange API gateway validates the user credentials from OAuth provider, which in turn returns access token with specified expiry time.
- Access token is sent back to the client application.
- Client application makes request to API’s through miniOrange API gateway and received Access token above as a Authorization Header.
- API gateway validates the access token from OAuth introspection call to the OAuth server.
- If token is valid, API gateway forwards the request to the API or Resource Server.
- Response returned from API server is sent back to the client application.
The Authorization field is constructed as follows:
- The authorization method and a space (e.g. “Bearer”) is then prepended to the Access token.
e.g. Authorization: Basic D43wd4mla3fsdlfsdlfdsl5DSA3L
Benefits of using API Authentication with OAuth provider:
- Secure: Since the client does not have to pass user’s credentials with any request (unlike Basic Authentication), this method is more secure. The method requires access token which can only be fetched by user’s consent. Moreover, the API gateway block basic authentication completely so no one without an access token can access the APIs in an insecure manner.
- Time Based Tokens: As OAuth tokens are valid only for specified time period (default 1 hour), even if the security is compromised, that will have the limited impact till the token expiry unlike API keys.
- Easy to integrate: API gateway can be integrated with any OAuth/OIDC provider within seconds.
What Security Guidelines we follow to secure your API’s:
Enforce HTTPS / TLS connection:
We provide an option to enforce the use of HTTP over SSL in API requests, which transfer your credentials securely.
Input Parameter Validation to prevent injections:
Validate request parameters on the very first step, before it reaches your API Server. Our strong validation checks blocks the access immediately if input validation fails, which helps to prevent SQL injection and other attacks.
We support the input validation specified by OWASP REST Security guidelines.
Timestamp in Request:
Along with other request parameters, we provide option to add a request timestamp as HTTP custom header in API request. The server will compare the current timestamp to the request timestamp, and only accepts the request if it is within the allowed timeframe (60-300 seconds). This will prevent replay attacks from attackers who are trying to brute force your system without changing this timestamp.
Digitally Sign API requests and responses:
We support API requests and responses in signed manner as a added security.
API call with digitally signed requests make sure that API requests are coming from the trusted partner or client.
Rate Limiting:
We protect your APIs with rate-limiting to mitigate distributed denial-of-service (DDoS)>/b> attacks and protecting the backend applications that process the API calls.