AnsweredAssumed Answered

Security + REST Services

Question asked by acalbazana on Jun 7, 2016
Latest reply on Aug 31, 2016 by ducge01



I have a general design question.... Is anyone using the API Gateway to support their security needs?  If so, could you describe how things are laid out (to the extent that you can)? 


I have a set of REST apis that I want to have secured.  These services need to understand user identity and will enforce user roles (RBAC).  I don't expect the gateway to handle RBAC.  I don't have anything like OAuth set up; however, my "human" users are typically authenticated via a form-based login and then issued an SSO token.    I also have "machine" users that will authenticate using different means (basic auth, certifcates, etc..). 


Ideally, I'd like all of my services to understand a common "token" that represents an authenticated user and their authorizations/claims (JWT comes to mind).  I'd rather not bake all of the authentication handling into each policy, for each service.  I was considering using the gateway to handle the different types of authentication paths and produce a token that could be used in subsequent requests. 


Should I be looking to policy to help me with this?   I am curious to what others have done here.