Authentication and authorization are key components of application security. Authentication is about ensuring that someone/something is who they say they are, and authorization is about ensuring the access and permission levels of each given entity. While it’s important to authenticate users, it’s increasingly important to also authenticate machine-to-machine interactions.
In a world of distributed and composable applications, APIs play a crucial role in how applications work (and how applications can potentially be exploited.) Dan Moore from FusionAuth recently joined me for a discussion about API authentication. Dan does an excellent job walking through the whys and hows of API authentication, so the video is definitely worth checking out in its entirety.
The part that I wanted to specifically highlight here is how clearly Dan answered my question about why someone couldn’t just use an API gateway for this:
I think API gateways work really well with OAuth servers. They kind of go hand in hand. But I think API gateways by their nature and their design are really set up for that one tier system, right? Where you have a developer that is maybe registering with a developer portal and getting a client key and maybe a client secret or something like that. And then they’re presenting that to the API gateway and the API gateway can check against a database and say, “this, this entity is acceptable.”
Where you might want to get a little bit deeper is–and reach out for a system or OAuth that handles many different users and many different types of API–is where you want to have kind of two layers, right? You don’t just want the developer to have access to the API. You want users that are using the application that the developers building for them to be able to get access to an API.
And so you just have a much better level of granularity if you go to something that is building tokens. And as far as I know, there are definitely API gateways out there that can consume tokens. I don’t know any API gateways that really generate tokens.
That would be my answer is API gateways are great and they definitely can help with the throttling and the security and the billing pieces. I think that adding on a system like FusionAuth behind the API gateway to help issue those tokens, is going to give you a richer, more granular set of controls.
I really appreciate when someone can articulate which tools work best in which scenarios and how toolchains can be pieced together effectively.
Check out the full video for a deeper discussion on API authentication with FusionAuth.
Disclosure: FusionAuth is a RedMonk client and sponsored the making of this video. However, all of the opinions here are independently issued.