Best Practices in Building an API Security Ecosystem
-
Upload
prabath-siriwardena -
Category
Education
-
view
207 -
download
0
Transcript of Best Practices in Building an API Security Ecosystem
![Page 1: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/1.jpg)
Best Practices in Building an API Security EcosystemPrabath Siriwardena, Director of Security, WSO2
Twitter : @prabath
![Page 2: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/2.jpg)
About Me
Director of Security Architecture @ WSO2 Apache Axis PMC member Blogs
- http://blog.facilelogin.com- http://blog.api-security.org
Books- “Enterprise Integration with WSO2 ESB” with PACKT- “Advanced API Security” with Apress - “Mastering Apache Maven” with PACKT
![Page 3: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/3.jpg)
![Page 4: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/4.jpg)
Naked APIs vs. Managed APIs
![Page 5: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/5.jpg)
API Ecosystem
![Page 6: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/6.jpg)
Gateway Pattern - Benefits
• Decouple clients from the actual API implementation
• No point-to-point to connection• Centralized security enforcing• Centralized auditing & monitoring• Version controlling
![Page 7: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/7.jpg)
Forces Driving IT Business Re-design
![Page 8: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/8.jpg)
Pre OAuth Era
![Page 9: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/9.jpg)
Pre OAuth Era
![Page 10: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/10.jpg)
Pre OAuth Era
![Page 11: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/11.jpg)
Pre OAuth Era
![Page 12: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/12.jpg)
Third-party applications are required to store the resource owner's credentials for future use, typically a
password in clear-text.
Need a better approach ?
![Page 13: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/13.jpg)
Servers are required to support password authentication, despite the security weaknesses created
by passwords.
Need a better approach ?
![Page 14: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/14.jpg)
Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access
to a limited subset of resources.
Need a better approach ?
![Page 15: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/15.jpg)
Resource owners cannot revoke access to an individual third-party without revoking access to all third-parties,
and must do so by changing their password.
Need a better approach ?
![Page 16: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/16.jpg)
Compromise of any third-party application results in compromise of the end-user's password and all of the
data protected by that password.
Need a better approach ?
![Page 17: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/17.jpg)
Delegation
![Page 18: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/18.jpg)
Pre OAuth Era
![Page 19: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/19.jpg)
OAuth Evolution
![Page 20: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/20.jpg)
OAuth 1.0a
![Page 21: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/21.jpg)
OAuth 1.0a : Three Legged
![Page 22: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/22.jpg)
OAuth 1.0a : Two Legged
![Page 23: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/23.jpg)
OAuth 2.0 : Resource Owner
• An entity capable of granting access to a protected resource.
• When the resource owner is a person, it is referred to as an end-user.
![Page 24: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/24.jpg)
OAuth 2.0 : Resource Server
• The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
![Page 25: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/25.jpg)
OAuth 2.0 : Client
• An application making protected resource requests on behalf of the resource owner and with its authorization
![Page 26: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/26.jpg)
OAuth 2.0 : Authorization Server
• The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
![Page 27: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/27.jpg)
OAuth 2.0
![Page 28: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/28.jpg)
OAuth 2.0 : Authorization Grant Types
Authorization Code
Implicit
Resource Owner Password Credentials
Client Credentials
![Page 29: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/29.jpg)
OAuth 2.0 : Authorization Code
OAuth Handshake
Scope
![Page 30: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/30.jpg)
OAuth 2.0
OAuth Handshake
Scope
Scope is defined by the Authorization Server.
Scope indicates what resource client wants access and which actions he wants to perform on that.
The value of the scope parameter is expressed as a list of space-delimited, case sensitive strings.
The strings are defined by the authorization server.
![Page 31: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/31.jpg)
OAuth 2.0 : Authorization Code
Confidential Client Type
Web Application
OAuth Handshake
![Page 32: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/32.jpg)
OAuth 2.0 : Authorization Code
Client Authenticates to AuthZ Server
BasicAuth client_id / client_secret
OAuth Handshake
![Page 33: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/33.jpg)
OAuth 2.0 : Authorization Code
Authorization Grant Request
OAuth Handshake
• response_type : REQUIRED. Value MUST be set to "code".• client_id : REQUIRED. The client identifier.• redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server.• scope : OPTIONAL. The scope of the access request.• state : RECOMMENDED. An opaque value used by the client to maintain state between the
request and callback.
![Page 34: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/34.jpg)
OAuth 2.0 : Authorization Code
Authorization Grant Response
OAuth Handshake
• code: REQUIRED. The authorization code generated by the authorization server• state : REQUIRED if the "state" parameter was present in the client authorization request.
![Page 35: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/35.jpg)
OAuth 2.0 : Authorization Code
Access Token Request
OAuth Handshake
• grant_type : REQUIRED. Value MUST be set to "authorization_code".• code : REQUIRED. The authorization code received from the Authorization Server.• redirect_uri : REQUIRED, if the "redirect_uri" parameter was included in the authorization
![Page 36: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/36.jpg)
OAuth 2.0 : Authorization Code
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.• token_type : REQUIRED. The type of the token. Value is case insensitive.• expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 37: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/37.jpg)
OAuth 2.0 : Implicit
OAuth Handshake
Scope
![Page 38: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/38.jpg)
OAuth 2.0 : Implicit
Public Client Type
User Agent based Application
OAuth Handshake
![Page 39: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/39.jpg)
OAuth 2.0 : Implicit
Anonymous Clients
OAuth Handshake
![Page 40: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/40.jpg)
OAuth Handshake
Authorization Grant Request
• response_type : REQUIRED. Value MUST be set to ”token".• client_id : REQUIRED. The client identifier.• redirect_uri : OPTIONAL. Where to be redirected by the Authorization Server.• scope : OPTIONAL. The scope of the access request.• state : RECOMMENDED. An opaque value used by the client to maintain state between the
request and callback.
OAuth 2.0 : Implicit
![Page 41: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/41.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.• token_type : REQUIRED. The type of the token. Value is case insensitive.• expires_in : RECOMMENDED. The lifetime in seconds of the access token• scope : OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED.• state : REQUIRED if the "state" parameter was present in the client authorization request
OAuth 2.0 : Implicit
![Page 42: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/42.jpg)
OAuth 2.0 : Client Credential
OAuth Handshake
Scope
![Page 43: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/43.jpg)
OAuth 2.0 : Client Credential
Confidential Client Type
OAuth Handshake
![Page 44: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/44.jpg)
OAuth 2.0 : Client Credential
BasicAuth
OAuth Handshake
![Page 45: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/45.jpg)
OAuth Handshake
Authorization Grant Request
Since the client authentication is used as the authorization grant, no additional authorization request is needed.
OAuth 2.0 : Client Credential
![Page 46: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/46.jpg)
OAuth Handshake
Access Token Request
OAuth 2.0 : Client Credential
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".• scope: OPTIONAL. The scope of the access request.
Note : The client needs to pass BasicAuth headers or authenticate to the Authorization Server in other means.
![Page 47: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/47.jpg)
Access Token Response
OAuth Handshake
OAuth 2.0 : Client Credential
• access_token : REQUIRED. The access token issued by the authorization server.• token_type : REQUIRED. The type of the token. Value is case insensitive.• expires_in : RECOMMENDED. The lifetime in seconds of the access token
![Page 48: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/48.jpg)
OAuth 2.0 : Resource Owner Password Credentials
OAuth Handshake
Scope
![Page 49: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/49.jpg)
OAuth 2.0 : Resource Owner Password Credentials
Confidential Client Type
OAuth Handshake
![Page 50: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/50.jpg)
OAuth 2.0 : Resource Owner Password Credentials
BasicAuth
OAuth Handshake
![Page 51: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/51.jpg)
OAuth Handshake
Authorization Grant Request
The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client
MUST discard the credentials once an access token has been obtained
OAuth 2.0 : Resource Owner Password Credentials
![Page 52: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/52.jpg)
OAuth Handshake
Access Token Request
• grant_type : REQUIRED. Value MUST be set to ”client_credentials".• username : REQUIRED. The resource owner username, encoded as UTF-8.• password : REQUIRED. The resource owner password, encoded as UTF-8.• scope: OPTIONAL. The scope of the access request.
OAuth 2.0 : Resource Owner Password Credentials
![Page 53: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/53.jpg)
Access Token Response
OAuth Handshake
• access_token : REQUIRED. The access token issued by the authorization server.• token_type : REQUIRED. The type of the token. Value is case insensitive.• expires_in : RECOMMENDED. The lifetime in seconds of the access token
OAuth 2.0 : Resource Owner Password Credentials
![Page 54: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/54.jpg)
OAuth 2.0
Runtime
![Page 55: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/55.jpg)
OAuth 2.0
Runtime
Bearer MAC
![Page 56: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/56.jpg)
OAuth 2.0
Runtime
Bearer MAC
Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession
of a cryptographic key).
Bearer
![Page 57: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/57.jpg)
Request with Bearer
GET /resource/1 HTTP/1.1Host: example.comAuthorization: Bearer “access_token_value”
OAuth 2.0
Runtime
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20
![Page 58: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/58.jpg)
OAuth 2.0
Runtime
Bearer MAC
HTTP MAC access authentication scheme
MAC
![Page 59: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/59.jpg)
Request with MAC
GET /resource/1 HTTP/1.1Host: example.com Authorization: MAC id="h480djs93hd8", ts="1336363200”, nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE="
OAuth 2.0
Runtime
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01
![Page 60: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/60.jpg)
Decoupling Authorization Server from Resource Server
![Page 61: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/61.jpg)
Decoupling Authorization Server from Resource Server
POST /introspection HTTP/1.1 Accept: application/x-www-form-urlencoded Host: server.example.com Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
token=X3241Affw.4233-99JXJ&resource_id=…
{ "active": true, "client_id":"s6BhdRkqt3", "scope": "read write dolphin", "sub": "2309fj32kl", "aud": http://example.org/protected-resource/*}
![Page 62: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/62.jpg)
Externalizing Authorization
![Page 63: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/63.jpg)
XACML
![Page 64: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/64.jpg)
OAuth & XACML
A given access token has a scope associated with it and it governs the access token’s capabilities
A user delegates access to his Facebook profile to a third party, under the scope “user_activities”. This provides access to the user's list of activities as the activities’ connection. To achieve fine-grained access control, this can be represented in an XACML policy.
token=gfgew789hkhjkew87 resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
![Page 65: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/65.jpg)
XACML Request<Request> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:oauth-client"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:client:client-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">32324343434</AttributeValue> </Attribute> <Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user_activities</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> https://graph.facebook.com/prabathsiriwardena/activities</AttributeValue> </Attribute> </Attributes></Request>
![Page 66: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/66.jpg)
XACML Policy
<Policy> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> user_activities</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:scope" AttributeId="urn:oasis:names:tc:xacml:1.0:scope:scope-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule RuleId="permit_rule" Effect="Permit"> </Rule> <Rule RuleId="deny_rule" Effect="Deny"> </Rule></Policy>
![Page 67: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/67.jpg)
Cross-Domain API Access
![Page 68: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/68.jpg)
Cross-Domain API Access
curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa” -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2 bearer&assertion=PHNhbWxwOl...[omitted for brevity]...ZT4" https://localhost:9443/oauth2/token
![Page 69: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/69.jpg)
Auditing / Monitoring
![Page 70: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/70.jpg)
Chained APIs
![Page 71: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/71.jpg)
Centralized Authorization with Distributed Resource Servers
![Page 72: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/72.jpg)
User Managed Access
• PAT (Protection API Token) : Token issued to the Resource Server to access the Protection API (Authorization Server) with the approval of the Resource Owner.
• AAT (Authorization API Token) : Token issued to the Client to access the Authorization API (Authorization Server)..
• RPT (Requesting Party Token) : Token issued to the Client to access the Protected Resource on behalf of the Requesting Party by the Authorization Server.
![Page 73: Best Practices in Building an API Security Ecosystem](https://reader036.fdocuments.in/reader036/viewer/2022062407/55d0545fbb61ebb97b8b4572/html5/thumbnails/73.jpg)
Contact us !