Welcome!

Related Topics: Microservices Expo

Microservices Expo: Blog Feed Post

Enterprise APIs and OAuth: Have it All

Why do Enterprises always seem so behind when it comes to the very latest technology?

Enterprises often frustrate developers. Why do Enterprises always seem so behind when it comes to the very latest technology? In particular, a trend we are seeing is the continued struggle to marry Enterprise authentication with the burgeoning world of REST APIs. Developers want to use REST, but Enterprises need enterprise grade API security.

We think this problem will only worsen as Enterprises continue their rapid adoption of APIs. It seems clear that SOAP, while capable of Enterprise grade authentication through X.509 and SAML, will be left behind as the “Skinny jeans Facebook generation” puts the final nail in SOAP’s coffin.

The Dilemma

Among our own customers and the stories we’ve heard, Enterprises are left with a dilemma with four horns concerning the protection of REST APIs:

(a) Use mutual authentication with client-side SSL
(b) Use HTTP authentication (password or digest) with server-side SSL
(c) Use OAuth, either 3-legged or 2-legged
(d) Use a de-facto standard or “roll your own”

Each option has challenges and benefits. In particular, the challenges balance time to market and time to value (which I term developer friction), security, and manageability. The success of an API is directly related to it’s perceived ease of access and the amount of friction involved in using it.  An Enterprise will get more value out of an API that is actually used versus one that lies dormant. At the same time, however, as APIs become a new tunnel into the Enterprise, security and manageability cannot be sacrificed for the sake of adoption.

Current Options and Challenges

Let’s consider the options and “score” each of them.  In option (a), most developers would rather shoot themselves than deal with client-side X.509 certificates, especially after experiencing the apparent ease of use of OAuth as evidenced by SaaS providers such as Salesforce.com and social platforms such as Facebook and Twitter. To compound this, the issue of key rotation and certificate management is a weighty burden to deal with from an Enterprise perspective. Echoes are heard from the grave, “But this year, will be the year of PKI!” Now, the “Year of PKI” conjures up not a picture of a secure Enterprise, but an enterprise fraught with wasteland scenes of Armageddon.

SSL with Mutual Auth Score:

  • Security: High
  • Friction: Extremely High
  • Management Burden: Extremely High
  • Developer Attitude: I hate my life
  • Result: A secure API that nobody uses has lowered value to the Enterprise

In option (b), HTTP Authentication with server-side SSL, we’ve overloaded an interactive web-authentication mechanism developed in 1996 and tried to marry it to the API economy of 2012.

Well, you say…. At least it is a standard – and we console ourselves by the fact that it is a protected channel. The issue here of course is the proliferation and management of passwords.

Security is reduced because we’ve coded in a username and password and we’re probably using the same username and password for multiple applications and not telling management about it. Security is low when the password is in the clear and somewhere around medium-low when digests are used, depending on your perspective on rainbow tables. Friction is high because eventually I’ll need to (or should) rotate that password if I have even a rudimentary password policy

HTTP Basic Auth with SSL Score:

  • Security: Medium-Low
  • Friction: High
  • Management Burden: High
  • Developer Attitude: Really? We’re doing this?
  • Result: An API with a “hackish” authentication method and suspect security.

In option (c), OAuth, developers will cheer but problems remain. First and foremost, traditional 3-legged OAuth is an authorization protocol that puts permission control in the hands of a user, who ostensibly owns an asset they are expressing authorization for.

In the traditional Enterprise context, however, control should be given to administrators, not users. Most users don’t own Enterprise assets, the Enterprise owns their own assets. With X.509 certificate authentication models, administrators can revoke permissions easily by revoking a certification while OAuth delegates permissions to users. This is why OAuth works well for social websites – content is owned by users.

One solution to this is to use 2-legged OAuth or some organic variation such as xAuth, which is notionally similar to SAML in that it allows the exchange of a username/password for an access token.  Note: If xAuth is still OAuth why is it called something different? Answer: It is different (?)

2-legged OAuth has advantages over the previous option in that it stops the proliferation of passwords, which is a good thing, but the failure of the OAuth 2.0 specification to carefully define what 2-legged OAuth entails is a bit worrisome for both security and interoperability.

Third, depending on the specific OAuth data flow, such as the authorization code flow, implicit grant flow, or client credential flow, these all have varying levels of security and friction associated with them. The most secure OAuth data flows involving a confidential client demand strong client authentication….. …with a public/private key pair (ssshhh!!).

Finally, as history has taught us, never place all your bets in the security of a protocol. Many of us were shocked at the late 2009 news of a critical man-in-the-middle attack on SSL. If we count the Netscape days to the time of the vulnerability, the protocol was battle tested in industry for 14 years before the vulnerability was found. Some would argue that OAuth just hasn’t been around the block long enough.

OAuth Score

  • Security: Medium (or Low, depending on your view of history)
  • Friction: Medium-Low
  • Management Burden: Medium
  • Developer Attitude: I love my job, it’s like Facebook
  • Result: An API that uses a rapidly emerging protocol and avoids the use of passwords with low developer friction

In option (d), roll your own, we’ve seen a number of solutions that involve API keys or shared secrets along with authenticators like HMAC-SHA1. Amazon web services (AWS) is a famous example of this approach, and many of our own customers have copied this approach as a best practice.

These solutions have the advantage over HTTP Basic Authentication in that they don’t shoe-horn themselves into an outdated standard designed for another purpose. The flip-side is that these aren’t official standards. The idea is to use an HTTP header to store the credentials in a bespoke way defined by the Enterprise. The security model here is essentially the same as username and password, except for the fact that  we’re calling it an API key to make it sound like it’s not a password. Management burden is increased here because interoperability outside the organization is reduced.

“Roll Your Own” Score:

  • Security: Medium-Low
  • Friction: Medium
  • Management Burden: Medium-High
  • Developer Attitude: Eh, It’s not OAuth, but at least I don’t have to deal with X.509 certificates
  • Result: A reasonable, albeit non-standard solution to API authentication. Friction is reduced but password or shared secret proliferation remains a problem

Appease your Developers

One approach to solving the API access mechanism dilemma is to reject the dilemma and have it all. This can be done with a front-end or security intermediary that, much like a diligent mediator can make both sides happy. In this model, a front-end proxy is used on top of existing APIs, essentially retrofitting them for OAuth without having to get into the ‘weeds’ of actually modifying enterprise APIs. Everything is done on the wire at network layer 4 and above.

To take one example, if you are an Enterprise with REST APIs that use mutual SSL authentication, you don’ t have to enforce this fact on your developers. Instead, have a gateway handle it for you. You can give your developers a choice – they can fall on the sword of X.509 if they’d like, or use OAuth.

Conceptually, it looks like this:

In the previous diagram the gateway handles the OAuth dance for incoming clients and maps the identity to a username from Active Directory. Then, the gateway initiates a mutual SSL connection to the Enterprise REST API and sends the username of the original requestor over this secure channel in an HTTP header. Simple.

Developers are happy because the Enterprise is now “living in the 21st century” and the  enterprise application developers are happy because they don’t need to  retrofit something that already works, and the security architects are happy because they can manage it all on a security gateway with a few clicks and drop downs. Party down!

A thumbnail screen shot is shown from the “AAA” Policy from Intel® Expressway Service Gateway:

While there are a few more settings required, particularly to enable the full OAuth dance, as well as exception handling, the screen shot shows that the main credential mapping can be done with selectors and not code. This helps bridge the gap between Enterprise Applications and new emerging standards. At Intel we think this gateway or proxy model is a superb answer for solving some of these real challenges. After all, Enterprises can’t wait for the standards to catch up with the new generation of developers.

More Stories By Application Security

This blog references our expert posts on application and web services security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
"We are the public cloud providers. We are currently providing 50% of the resources they need for doing e-commerce business in China and we are hosting about 60% of mobile gaming in China," explained Yi Zheng, CPO and VP of Engineering at CDS Global Cloud, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Fact is, enterprises have significant legacy voice infrastructure that’s costly to replace with pure IP solutions. How can we bring this analog infrastructure into our shiny new cloud applications? There are proven methods to bind both legacy voice applications and traditional PSTN audio into cloud-based applications and services at a carrier scale. Some of the most successful implementations leverage WebRTC, WebSockets, SIP and other open source technologies. In his session at @ThingsExpo, Da...
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
@DevOpsSummit taking place June 6-8, 2017 at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
Predictive analytics tools monitor, report, and troubleshoot in order to make proactive decisions about the health, performance, and utilization of storage. Most enterprises combine cloud and on-premise storage, resulting in blended environments of physical, virtual, cloud, and other platforms, which justifies more sophisticated storage analytics. In his session at 18th Cloud Expo, Peter McCallum, Vice President of Datacenter Solutions at FalconStor, discussed using predictive analytics to mon...
"We are an all-flash array storage provider but our focus has been on VM-aware storage specifically for virtualized applications," stated Dhiraj Sehgal of Tintri in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Onalytica. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
In IT, we sometimes coin terms for things before we know exactly what they are and how they’ll be used. The resulting terms may capture a common set of aspirations and goals – as “cloud” did broadly for on-demand, self-service, and flexible computing. But such a term can also lump together diverse and even competing practices, technologies, and priorities to the point where important distinctions are glossed over and lost.
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of Soli...
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"IoT is going to be a huge industry with a lot of value for end users, for industries, for consumers, for manufacturers. How can we use cloud to effectively manage IoT applications," stated Ian Khan, Innovation & Marketing Manager at Solgeniakhela, in this SYS-CON.tv interview at @ThingsExpo, held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Information technology is an industry that has always experienced change, and the dramatic change sweeping across the industry today could not be truthfully described as the first time we've seen such widespread change impacting customer investments. However, the rate of the change, and the potential outcomes from today's digital transformation has the distinct potential to separate the industry into two camps: Organizations that see the change coming, embrace it, and successful leverage it; and...
Join Impiger for their featured webinar: ‘Cloud Computing: A Roadmap to Modern Software Delivery’ on November 10, 2016, at 12:00 pm CST. Very few companies have not experienced some impact to their IT delivery due to the evolution of cloud computing. This webinar is not about deciding whether you should entertain moving some or all of your IT to the cloud, but rather, a detailed look under the hood to help IT professionals understand how cloud adoption has evolved and what trends will impact th...