Welcome!

Related Topics: Microservices Expo

Microservices Expo: Blog Feed Post

Enterprise APIs and OAuth: Have it All

Why do Enterprises always seem so behind when it comes to the very latest technology?

Enterprises often frustrate developers. Why do Enterprises always seem so behind when it comes to the very latest technology? In particular, a trend we are seeing is the continued struggle to marry Enterprise authentication with the burgeoning world of REST APIs. Developers want to use REST, but Enterprises need enterprise grade API security.

We think this problem will only worsen as Enterprises continue their rapid adoption of APIs. It seems clear that SOAP, while capable of Enterprise grade authentication through X.509 and SAML, will be left behind as the “Skinny jeans Facebook generation” puts the final nail in SOAP’s coffin.

The Dilemma

Among our own customers and the stories we’ve heard, Enterprises are left with a dilemma with four horns concerning the protection of REST APIs:

(a) Use mutual authentication with client-side SSL
(b) Use HTTP authentication (password or digest) with server-side SSL
(c) Use OAuth, either 3-legged or 2-legged
(d) Use a de-facto standard or “roll your own”

Each option has challenges and benefits. In particular, the challenges balance time to market and time to value (which I term developer friction), security, and manageability. The success of an API is directly related to it’s perceived ease of access and the amount of friction involved in using it.  An Enterprise will get more value out of an API that is actually used versus one that lies dormant. At the same time, however, as APIs become a new tunnel into the Enterprise, security and manageability cannot be sacrificed for the sake of adoption.

Current Options and Challenges

Let’s consider the options and “score” each of them.  In option (a), most developers would rather shoot themselves than deal with client-side X.509 certificates, especially after experiencing the apparent ease of use of OAuth as evidenced by SaaS providers such as Salesforce.com and social platforms such as Facebook and Twitter. To compound this, the issue of key rotation and certificate management is a weighty burden to deal with from an Enterprise perspective. Echoes are heard from the grave, “But this year, will be the year of PKI!” Now, the “Year of PKI” conjures up not a picture of a secure Enterprise, but an enterprise fraught with wasteland scenes of Armageddon.

SSL with Mutual Auth Score:

  • Security: High
  • Friction: Extremely High
  • Management Burden: Extremely High
  • Developer Attitude: I hate my life
  • Result: A secure API that nobody uses has lowered value to the Enterprise

In option (b), HTTP Authentication with server-side SSL, we’ve overloaded an interactive web-authentication mechanism developed in 1996 and tried to marry it to the API economy of 2012.

Well, you say…. At least it is a standard – and we console ourselves by the fact that it is a protected channel. The issue here of course is the proliferation and management of passwords.

Security is reduced because we’ve coded in a username and password and we’re probably using the same username and password for multiple applications and not telling management about it. Security is low when the password is in the clear and somewhere around medium-low when digests are used, depending on your perspective on rainbow tables. Friction is high because eventually I’ll need to (or should) rotate that password if I have even a rudimentary password policy

HTTP Basic Auth with SSL Score:

  • Security: Medium-Low
  • Friction: High
  • Management Burden: High
  • Developer Attitude: Really? We’re doing this?
  • Result: An API with a “hackish” authentication method and suspect security.

In option (c), OAuth, developers will cheer but problems remain. First and foremost, traditional 3-legged OAuth is an authorization protocol that puts permission control in the hands of a user, who ostensibly owns an asset they are expressing authorization for.

In the traditional Enterprise context, however, control should be given to administrators, not users. Most users don’t own Enterprise assets, the Enterprise owns their own assets. With X.509 certificate authentication models, administrators can revoke permissions easily by revoking a certification while OAuth delegates permissions to users. This is why OAuth works well for social websites – content is owned by users.

One solution to this is to use 2-legged OAuth or some organic variation such as xAuth, which is notionally similar to SAML in that it allows the exchange of a username/password for an access token.  Note: If xAuth is still OAuth why is it called something different? Answer: It is different (?)

2-legged OAuth has advantages over the previous option in that it stops the proliferation of passwords, which is a good thing, but the failure of the OAuth 2.0 specification to carefully define what 2-legged OAuth entails is a bit worrisome for both security and interoperability.

Third, depending on the specific OAuth data flow, such as the authorization code flow, implicit grant flow, or client credential flow, these all have varying levels of security and friction associated with them. The most secure OAuth data flows involving a confidential client demand strong client authentication….. …with a public/private key pair (ssshhh!!).

Finally, as history has taught us, never place all your bets in the security of a protocol. Many of us were shocked at the late 2009 news of a critical man-in-the-middle attack on SSL. If we count the Netscape days to the time of the vulnerability, the protocol was battle tested in industry for 14 years before the vulnerability was found. Some would argue that OAuth just hasn’t been around the block long enough.

OAuth Score

  • Security: Medium (or Low, depending on your view of history)
  • Friction: Medium-Low
  • Management Burden: Medium
  • Developer Attitude: I love my job, it’s like Facebook
  • Result: An API that uses a rapidly emerging protocol and avoids the use of passwords with low developer friction

In option (d), roll your own, we’ve seen a number of solutions that involve API keys or shared secrets along with authenticators like HMAC-SHA1. Amazon web services (AWS) is a famous example of this approach, and many of our own customers have copied this approach as a best practice.

These solutions have the advantage over HTTP Basic Authentication in that they don’t shoe-horn themselves into an outdated standard designed for another purpose. The flip-side is that these aren’t official standards. The idea is to use an HTTP header to store the credentials in a bespoke way defined by the Enterprise. The security model here is essentially the same as username and password, except for the fact that  we’re calling it an API key to make it sound like it’s not a password. Management burden is increased here because interoperability outside the organization is reduced.

“Roll Your Own” Score:

  • Security: Medium-Low
  • Friction: Medium
  • Management Burden: Medium-High
  • Developer Attitude: Eh, It’s not OAuth, but at least I don’t have to deal with X.509 certificates
  • Result: A reasonable, albeit non-standard solution to API authentication. Friction is reduced but password or shared secret proliferation remains a problem

Appease your Developers

One approach to solving the API access mechanism dilemma is to reject the dilemma and have it all. This can be done with a front-end or security intermediary that, much like a diligent mediator can make both sides happy. In this model, a front-end proxy is used on top of existing APIs, essentially retrofitting them for OAuth without having to get into the ‘weeds’ of actually modifying enterprise APIs. Everything is done on the wire at network layer 4 and above.

To take one example, if you are an Enterprise with REST APIs that use mutual SSL authentication, you don’ t have to enforce this fact on your developers. Instead, have a gateway handle it for you. You can give your developers a choice – they can fall on the sword of X.509 if they’d like, or use OAuth.

Conceptually, it looks like this:

In the previous diagram the gateway handles the OAuth dance for incoming clients and maps the identity to a username from Active Directory. Then, the gateway initiates a mutual SSL connection to the Enterprise REST API and sends the username of the original requestor over this secure channel in an HTTP header. Simple.

Developers are happy because the Enterprise is now “living in the 21st century” and the  enterprise application developers are happy because they don’t need to  retrofit something that already works, and the security architects are happy because they can manage it all on a security gateway with a few clicks and drop downs. Party down!

A thumbnail screen shot is shown from the “AAA” Policy from Intel® Expressway Service Gateway:

While there are a few more settings required, particularly to enable the full OAuth dance, as well as exception handling, the screen shot shows that the main credential mapping can be done with selectors and not code. This helps bridge the gap between Enterprise Applications and new emerging standards. At Intel we think this gateway or proxy model is a superb answer for solving some of these real challenges. After all, Enterprises can’t wait for the standards to catch up with the new generation of developers.

More Stories By Application Security

This blog references our expert posts on application and web services security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abil...
With so much going on in this space you could be forgiven for thinking you were always working with yesterday’s technologies. So much change, so quickly. What do you do if you have to build a solution from the ground up that is expected to live in the field for at least 5-10 years? This is the challenge we faced when we looked to refresh our existing 10-year-old custom hardware stack to measure the fullness of trash cans and compactors.
Extreme Computing is the ability to leverage highly performant infrastructure and software to accelerate Big Data, machine learning, HPC, and Enterprise applications. High IOPS Storage, low-latency networks, in-memory databases, GPUs and other parallel accelerators are being used to achieve faster results and help businesses make better decisions. In his session at 18th Cloud Expo, Michael O'Neill, Strategic Business Development at NVIDIA, focused on some of the unique ways extreme computing is...
The emerging Internet of Everything creates tremendous new opportunities for customer engagement and business model innovation. However, enterprises must overcome a number of critical challenges to bring these new solutions to market. In his session at @ThingsExpo, Michael Martin, CTO/CIO at nfrastructure, outlined these key challenges and recommended approaches for overcoming them to achieve speed and agility in the design, development and implementation of Internet of Everything solutions wi...
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
I wanted to gather all of my Internet of Things (IOT) blogs into a single blog (that I could later use with my University of San Francisco (USF) Big Data “MBA” course). However as I started to pull these blogs together, I realized that my IOT discussion lacked a vision; it lacked an end point towards which an organization could drive their IOT envisioning, proof of value, app dev, data engineering and data science efforts. And I think that the IOT end point is really quite simple…
Aspose.Total for .NET is the most complete package of all file format APIs for .NET as offered by Aspose. It empowers developers to create, edit, render, print and convert between a wide range of popular document formats within any .NET, C#, ASP.NET and VB.NET applications. Aspose compiles all .NET APIs on a daily basis to ensure that it contains the most up to date versions of each of Aspose .NET APIs. If a new .NET API or a new version of existing APIs is released during the subscription peri...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
Qosmos has announced new milestones in the detection of encrypted traffic and in protocol signature coverage. Qosmos latest software can accurately classify traffic encrypted with SSL/TLS (e.g., Google, Facebook, WhatsApp), P2P traffic (e.g., BitTorrent, MuTorrent, Vuze), and Skype, while preserving the privacy of communication content. These new classification techniques mean that traffic optimization, policy enforcement, and user experience are largely unaffected by encryption. In respect wit...
Kubernetes, Docker and containers are changing the world, and how companies are deploying their software and running their infrastructure. With the shift in how applications are built and deployed, new challenges must be solved. In his session at @DevOpsSummit at19th Cloud Expo, Sebastian Scheele, co-founder of Loodse, will discuss the implications of containerized applications/infrastructures and their impact on the enterprise. In a real world example based on Kubernetes, he will show how to ...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addres...
Is the ongoing quest for agility in the data center forcing you to evaluate how to be a part of infrastructure automation efforts? As organizations evolve toward bimodal IT operations, they are embracing new service delivery models and leveraging virtualization to increase infrastructure agility. Therefore, the network must evolve in parallel to become equally agile. Read this essential piece of Gartner research for recommendations on achieving greater agility.
SYS-CON Events announced today that Hitrons Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Hitrons Solutions Inc. is distributor in the North American market for unique products and services of small and medium-size businesses, including cloud services and solutions, SEO marketing platforms, and mobile applications.