Layer7 API Management

Hello,

I have a general design question.... Is anyone using the API Gateway to support their security needs?  If so, could you describe how things are laid out (to the extent that you can)? 

I have a set of REST apis that I want to have secured.  These services need to understand user identity and will enforce user roles (RBAC).  I don't expect the gateway to handle RBAC.  I don't have anything like OAuth set up; however, my "human" users are typically authenticated via a form-based login and then issued an SSO token.    I also have "machine" users that will authenticate using different means (basic auth, certifcates, etc..). 

Ideally, I'd like all of my services to understand a common "token" that represents an authenticated user and their authorizations/claims (JWT comes to mind).  I'd rather not bake all of the authentication handling into each policy, for each service.  I was considering using the gateway to handle the different types of authentication paths and produce a token that could be used in subsequent requests. 

Should I be looking to policy to help me with this?   I am curious to what others have done here.

Thanks,

Alejandro

Hello Alejandro,

The short answer is definitely yes, security and in particular api access control is a typically implemented at the gateway level.

You can use the built-in OTK to issue tokens, whether oauth opaque or jwt tokens. The gateway then uses the information associated with these tokens to decide whether a particular api operation should be allowed. This can take into consideration attributes associated to users or applications, you can consult ACL or group memberships in external directories, databases or services and you can set global policies to avoid implementing this in each service policy.

Hope this helps,

-fl

You can also look at using policy fragments as an alternative to global policies.  Global policies affect each request (or response) that the gateway processes, and the action may not apply to every request for every policy.  Policy fragments allow you to implement shared features among the policies of your choice.  Global policies also are not always visible to policy authors, which can cause some behaviour in the policy execution that could be overlooked by policy authors not aware of their existence.  Personally I lean towards policy fragments and encapsulated assertions as opposed to global policies.

Oauth tokens processed by the gateways allow for easy ways to cross reference the user associated with the token at runtime in order to make decisions and implement logic associated with the user.

-GD