Author: Samuel Mitchell
-
Adding additional security measures- Digital Transformation with IBM API Connect
The last few sections provided a comprehensive overview of APIC’s OOTB security features to secure APIs. But by no means are these the only security features that you can use. You can build almost any security mechanism using a combination of user-defined policies and GatewayScript policy. You can further secure your services using Transport Layer…
-
JWT verification- Digital Transformation with IBM API Connect
Verification of a JWT is an authorization process. It assumes that the JWT presented has been issued to an authenticated client (within the confines of the token’s validity period). Thus, JWT verification concerns itself with ensuring that the client is authorized to access the protected resource and that the JWT has been signed by a…
-
Using JWT policies- Digital Transformation with IBM API Connect
JWT (pronounced jot) is one of the methods of defining the identity information of a user/system (a client) in a JSON format. It is primarily used in authorization scenarios where its usage is employed to pass an authenticated client’s meta-information (identity and claims) to the server in a secure and verifiable format. JWT removes the…
-
OAuth flow changes- Digital Transformation with IBM API Connect
OIDC security testing follows along the same path as OAuth flow testing, with some minor changes. From the resource owner’s standpoint, the overall interaction flow looks identical to OAuth. The notable differences rest in the following: OpenID scopes Notice the two scope values sent as part of the OIDC call. The primary scope value is…
-
Implementing OpenId Connect (OIDC)- Digital Transformation with IBM API Connect
OAuth was built for authorization and cared most about the permissions and scopes of the protected resources. These permissions were then assigned to a client on a resource owner’s behalf. OAuth’s fundamental limitation was that it did not provide any standard way for the client to fetch any meta-information about the logged-in user. The client…
-
Testing OAuth flow- Digital Transformation with IBM API Connect
Like other OAuth configuration steps, testing the OAuth flow is also a multi-step process. This is due to the nature of multiple interactions between all the parties involved in OAuth processing. Apart from the complexity of the multiple parties, OAuth flow also changes based on the configured grant type in the OAuth provider. You will…
-
Creating a client – Digital Transformation with IBM API Connect
As previously stated, the client (typically an application) interacts with the resource (API) on the resource owner’s (typically the end user) behalf. From the earlier example, the client is the application developed/owned by the healthcare provider. The resource is the service, exposed by the medical lab, that fetches the resource owner’s lab results from the…
-
Applying OAuth 2.0 – Digital Transformation with IBM API Connect
In this section, you will learn about the specifics of OAuth, and later you will learn about OIDC (another similar security standard). Because of similarities between OAuth and OIDC, it might be helpful to know at a high level what is what. It is important to know that while OIDC deals with authentication, OAuth deals…
-
Protecting APIs with Basic authentication and Client ID (API key) – Digital Transformation with IBM API Connect
In this section, you will begin developing APIs that use the security features you have just set up. Using Basic authentication with an API key is among the easiest methods of applying authentication security to an API. This method of applying API key security (client ID and client secret) to an API was covered in…
-
Configuring native OAuth providers – Digital Transformation with IBM API Connect
Just what is an OAuth provider? An OAuth provider is a service provider that provides authorization services via an Authorization Server to the Resource Owner (typically the end user) and to the Client (typically the applications trying to access the Resources on the resource owner’s behalf). An OAuth provider is a third party that is…
Recent Posts
- Adding additional security measures- Digital Transformation with IBM API Connect
- JWT verification- Digital Transformation with IBM API Connect
- Using JWT policies- Digital Transformation with IBM API Connect
- OAuth flow changes- Digital Transformation with IBM API Connect
- Implementing OpenId Connect (OIDC)- Digital Transformation with IBM API Connect
Tags
There’s no content to show here yet.