Monday, February 28, 2011

Securing APIs

One of the key questions which comes up in API Management is about which authentication scheme to use. Gunnar Peterson has written, in a different context, about the benefit to the security architect of providing a menu of authentication schemes to use. Some clients are limited by what authentication scheme they can handle, and by providing a "menu" of authentication schemes at the API Gateway level, this can be handled. Within a policy (expressed as a "circuit" in the Vordel Gateway) you can handle clients differently depending on how they authenticated.

So which API authentication schemes are on the "menu"? Of course there is HTTP Digest Auth and mutual SSL. But there are specific API authentication schemes similar to Amazon's Query API authentication. If you want to learn more about this API authentication option, then on the Vordel website there is a video example showing API authentication for iPhone apps and Facebook as clients. If you push the video on to the 20 minute mark, and listen for a few minutes, you can learn about how the Vordel Gateway provides the API security, making use of HMAC digests with SHA1. If you're familiar with the Amazon Web Services Query authentication, you will recognize this:


So the options for API authentication balance flexibility (providing customers with a menu of authentication options) and security (policies which vary access depending on which scheme the client uses). A Gateway provides this balance, versus hardcoding the scheme into the API itself.