Welcome!

Related Topics: Microservices Expo

Microservices Expo: Blog Feed Post

Enterprise APIs and OAuth: Have it All

Why do Enterprises always seem so behind when it comes to the very latest technology?

Enterprises often frustrate developers. Why do Enterprises always seem so behind when it comes to the very latest technology? In particular, a trend we are seeing is the continued struggle to marry Enterprise authentication with the burgeoning world of REST APIs. Developers want to use REST, but Enterprises need enterprise grade API security.

We think this problem will only worsen as Enterprises continue their rapid adoption of APIs. It seems clear that SOAP, while capable of Enterprise grade authentication through X.509 and SAML, will be left behind as the “Skinny jeans Facebook generation” puts the final nail in SOAP’s coffin.

The Dilemma

Among our own customers and the stories we’ve heard, Enterprises are left with a dilemma with four horns concerning the protection of REST APIs:

(a) Use mutual authentication with client-side SSL
(b) Use HTTP authentication (password or digest) with server-side SSL
(c) Use OAuth, either 3-legged or 2-legged
(d) Use a de-facto standard or “roll your own”

Each option has challenges and benefits. In particular, the challenges balance time to market and time to value (which I term developer friction), security, and manageability. The success of an API is directly related to it’s perceived ease of access and the amount of friction involved in using it.  An Enterprise will get more value out of an API that is actually used versus one that lies dormant. At the same time, however, as APIs become a new tunnel into the Enterprise, security and manageability cannot be sacrificed for the sake of adoption.

Current Options and Challenges

Let’s consider the options and “score” each of them.  In option (a), most developers would rather shoot themselves than deal with client-side X.509 certificates, especially after experiencing the apparent ease of use of OAuth as evidenced by SaaS providers such as Salesforce.com and social platforms such as Facebook and Twitter. To compound this, the issue of key rotation and certificate management is a weighty burden to deal with from an Enterprise perspective. Echoes are heard from the grave, “But this year, will be the year of PKI!” Now, the “Year of PKI” conjures up not a picture of a secure Enterprise, but an enterprise fraught with wasteland scenes of Armageddon.

SSL with Mutual Auth Score:

  • Security: High
  • Friction: Extremely High
  • Management Burden: Extremely High
  • Developer Attitude: I hate my life
  • Result: A secure API that nobody uses has lowered value to the Enterprise

In option (b), HTTP Authentication with server-side SSL, we’ve overloaded an interactive web-authentication mechanism developed in 1996 and tried to marry it to the API economy of 2012.

Well, you say…. At least it is a standard – and we console ourselves by the fact that it is a protected channel. The issue here of course is the proliferation and management of passwords.

Security is reduced because we’ve coded in a username and password and we’re probably using the same username and password for multiple applications and not telling management about it. Security is low when the password is in the clear and somewhere around medium-low when digests are used, depending on your perspective on rainbow tables. Friction is high because eventually I’ll need to (or should) rotate that password if I have even a rudimentary password policy

HTTP Basic Auth with SSL Score:

  • Security: Medium-Low
  • Friction: High
  • Management Burden: High
  • Developer Attitude: Really? We’re doing this?
  • Result: An API with a “hackish” authentication method and suspect security.

In option (c), OAuth, developers will cheer but problems remain. First and foremost, traditional 3-legged OAuth is an authorization protocol that puts permission control in the hands of a user, who ostensibly owns an asset they are expressing authorization for.

In the traditional Enterprise context, however, control should be given to administrators, not users. Most users don’t own Enterprise assets, the Enterprise owns their own assets. With X.509 certificate authentication models, administrators can revoke permissions easily by revoking a certification while OAuth delegates permissions to users. This is why OAuth works well for social websites – content is owned by users.

One solution to this is to use 2-legged OAuth or some organic variation such as xAuth, which is notionally similar to SAML in that it allows the exchange of a username/password for an access token.  Note: If xAuth is still OAuth why is it called something different? Answer: It is different (?)

2-legged OAuth has advantages over the previous option in that it stops the proliferation of passwords, which is a good thing, but the failure of the OAuth 2.0 specification to carefully define what 2-legged OAuth entails is a bit worrisome for both security and interoperability.

Third, depending on the specific OAuth data flow, such as the authorization code flow, implicit grant flow, or client credential flow, these all have varying levels of security and friction associated with them. The most secure OAuth data flows involving a confidential client demand strong client authentication….. …with a public/private key pair (ssshhh!!).

Finally, as history has taught us, never place all your bets in the security of a protocol. Many of us were shocked at the late 2009 news of a critical man-in-the-middle attack on SSL. If we count the Netscape days to the time of the vulnerability, the protocol was battle tested in industry for 14 years before the vulnerability was found. Some would argue that OAuth just hasn’t been around the block long enough.

OAuth Score

  • Security: Medium (or Low, depending on your view of history)
  • Friction: Medium-Low
  • Management Burden: Medium
  • Developer Attitude: I love my job, it’s like Facebook
  • Result: An API that uses a rapidly emerging protocol and avoids the use of passwords with low developer friction

In option (d), roll your own, we’ve seen a number of solutions that involve API keys or shared secrets along with authenticators like HMAC-SHA1. Amazon web services (AWS) is a famous example of this approach, and many of our own customers have copied this approach as a best practice.

These solutions have the advantage over HTTP Basic Authentication in that they don’t shoe-horn themselves into an outdated standard designed for another purpose. The flip-side is that these aren’t official standards. The idea is to use an HTTP header to store the credentials in a bespoke way defined by the Enterprise. The security model here is essentially the same as username and password, except for the fact that  we’re calling it an API key to make it sound like it’s not a password. Management burden is increased here because interoperability outside the organization is reduced.

“Roll Your Own” Score:

  • Security: Medium-Low
  • Friction: Medium
  • Management Burden: Medium-High
  • Developer Attitude: Eh, It’s not OAuth, but at least I don’t have to deal with X.509 certificates
  • Result: A reasonable, albeit non-standard solution to API authentication. Friction is reduced but password or shared secret proliferation remains a problem

Appease your Developers

One approach to solving the API access mechanism dilemma is to reject the dilemma and have it all. This can be done with a front-end or security intermediary that, much like a diligent mediator can make both sides happy. In this model, a front-end proxy is used on top of existing APIs, essentially retrofitting them for OAuth without having to get into the ‘weeds’ of actually modifying enterprise APIs. Everything is done on the wire at network layer 4 and above.

To take one example, if you are an Enterprise with REST APIs that use mutual SSL authentication, you don’ t have to enforce this fact on your developers. Instead, have a gateway handle it for you. You can give your developers a choice – they can fall on the sword of X.509 if they’d like, or use OAuth.

Conceptually, it looks like this:

In the previous diagram the gateway handles the OAuth dance for incoming clients and maps the identity to a username from Active Directory. Then, the gateway initiates a mutual SSL connection to the Enterprise REST API and sends the username of the original requestor over this secure channel in an HTTP header. Simple.

Developers are happy because the Enterprise is now “living in the 21st century” and the  enterprise application developers are happy because they don’t need to  retrofit something that already works, and the security architects are happy because they can manage it all on a security gateway with a few clicks and drop downs. Party down!

A thumbnail screen shot is shown from the “AAA” Policy from Intel® Expressway Service Gateway:

While there are a few more settings required, particularly to enable the full OAuth dance, as well as exception handling, the screen shot shows that the main credential mapping can be done with selectors and not code. This helps bridge the gap between Enterprise Applications and new emerging standards. At Intel we think this gateway or proxy model is a superb answer for solving some of these real challenges. After all, Enterprises can’t wait for the standards to catch up with the new generation of developers.

More Stories By Application Security

This blog references our expert posts on application and web services security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
When applications are hosted on servers, they produce immense quantities of logging data. Quality engineers should verify that apps are producing log data that is existent, correct, consumable, and complete. Otherwise, apps in production are not easily monitored, have issues that are difficult to detect, and cannot be corrected quickly. Tom Chavez presents the four steps that quality engineers should include in every test plan for apps that produce log output or other machine data. Learn the ste...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. ...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, ...
Traditional on-premises data centers have long been the domain of modern data platforms like Apache Hadoop, meaning companies who build their business on public cloud were challenged to run Big Data processing and analytics at scale. But recent advancements in Hadoop performance, security, and most importantly cloud-native integrations, are giving organizations the ability to truly gain value from all their data. In his session at 19th Cloud Expo, David Tishgart, Director of Product Marketing ...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addresse...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...