Want to Secure Your APIs? You’ll Need OAuth 2.0 for That
We’re experiencing the rise of the API economy. Whether it’s for a backend system, partner-facing website, or a mobile application designed for customers, companies rely on APIs to share data with more end users than ever before.
Unfortunately, APIs are proving to be a major point of vulnerability. This stems primarily from the fact that APIs are usually designed internally for small use cases, which keeps them off the radar for security and compliance teams. Once they’re proven to be successful, APIs are often used by more teams and they evolve quickly into partner or client-facing solutions. Even as this transition takes place, API security is likely forgotten.
Alongside the growth of APIs, security tools and processes have matured to ensure the right level of authorization is given to the appropriate tiers of users. Among these tools is OAuth 2.0, an industry-standard framework for providing specific authorization flows for web-based services, applications, and network-enabled devices. In order to fully benefit from APIs without suffering the consequences, organizations must implement robust security practices such as OAuth 2.0 to protect their systems and data.
OAuth 2.0 and API security
There are a handful of practices that organizations adopt to secure their APIs. The most typical starting point is using API keys. These are easy to implement, but have few options for limiting permissions in each use case. Even worse, API keys are also often reused across applications and don’t expire. This creates numerous instances where a key could be compromised, and once that occurs, an attacker can do anything, for as long as they like.
OAuth 2.0 is a more advanced and refined approach for granting access. Under the OAuth 2.0 protocol, the application requests authorization from a resource owner. Once authorization is granted, the application requests an access token for the protected resource with specific permissioning. This ensures that a developer has read-write access, for instance, while a customer has read-only access.
When it comes to customizing access, OAuth 2.0 tokens have a scoping function that lets developers establish fine-grained permissions for applications. Tokens also have a built-in refresh process that pushes them to expire, making it near impossible for them to be reused. With these added security parameters, OAuth 2.0 helps protect organizations in the case of an attack as they can effectively block bad actors from accessing the system.
What OAuth 2.0 brings to the table
One of the most powerful aspects of OAuth 2.0 is how it was designed as a framework instead of a protocol. While a protocol describes how data is structured and communicated, and how the end points behave and interact, a framework acts as a general operating agreement which can be expanded upon as necessary.
Through these extensions, OAuth 2.0 offers:
- JSON Web Tokens (JWT) to define payloads for passing data between systems with built in expiration mechanisms and signatures for validation.
- OpenID Connect to standardize those tokens for sharing user profile information.
- Endpoints to introspect and revoke those tokens to both detect if a token has been modified and void an application’s access immediately.
- The Device Grant Type to extend OAuth to limited input devices like Smart TVs and IoT in general.
- The Authorization Code Flow+PKCE Grant Type specifically for supporting native mobile apps like those on Android and iOS.
By providing a structure and process for extending and even replacing aspects of the framework, we can customize aspects as needed and adapt to respond to changes in the industry and in technology. We can choose how to balance stability while taking advantage of new implementation options.
How OAuth 2.0 fits in API access management
As a result of all this, OAuth 2.0 is transforming what API security looks like. It’s normalizing how users engage with their applications, all the while securing their personal information. But OAuth 2.0 can’t secure APIs on its own. It needs to be implemented alongside other tools like an API gateway—which acts as a firewall to protect the API from malicious requests and data—as well as a comprehensive access management tool.
Okta’s API Access Management system has standard-compliant support for OAuth 2.0. To this effect, it offers configurable authorization policies that limit OAuth 2.0 permission scopes to specific devices, networks, and even group memberships. Based on these, Okta can revoke API access tokens based on user state, mitigating any potential attacks from compromised identities. When combined with an effective API gateway, API Access Management ensures that the right people have access to the right resources to accomplish what they set out to do.
To learn more about how Okta uses OAuth 2.0 in its API Access Management tool, read our datasheet on the topic.