Making your APIs available on the Web doesn’t mean that they are in open access and unsecured. Reliable and secure standardized Web protocols exist. They can be used to manage authentication and authorization of consuming applications and users connected to these applications. The major protocol to manage authorization is OAuth2. It can be extended to manage authentication by using the OpenID Connect protocol. These protocols are far more simpler than the complex solutions used by companies (WS-Security, SAML2…).
When implementing an API, security issues quickly arise. This is a major challenge, as the Open API principle is to build an « open ecosystem », through the exposition of services usable by third parties, without knowing how it will be used. Besides, using REST and the Web technologies has an impact on the way you secure your services, even for an internal or private usage of your API.
This reference card is about security principles. We help you to understand which protocols you should or shouldn’t use. We present OAuth2 flows and their context of use. We explain the scoping principle, which is often misunderstood. We also give details on the OpenID Connect protocol principles, of JWT and claims. Finally, we share the common mistakes that we encountered with our clients, when securing APIs.
Based on our experiences on API projects, this reference card contains our beliefs and vision about API security principles.
