by Jeremy H • October 14, 2020
API gateway authentication is one of the key functions of an API gateway. In carrying out this function, the API gateway manages authentication and authorization for the entire group of APIs that sit behind it. In this way, API gateway authentication safeguards your systems and information against unwanted access, data breaches, hacks, and mistakes.
While the basic premise of API gateway authentication is easy enough to grasp, this guide offers a more nuanced understanding of the concept. After reading through the sections below, you should have a clear understanding of the following:
Sign up for our free 14 day hosted trial to learn how.
Before we dive into API gateway authentication, let’s define what an API is and why it’s important to secure APIs with an authentication/authorization strategy.
An API (Application Performance Interface) is a set of rules and procedures that define how two applications or systems interact with each other. An API identifies the calls and requests that a client (or consumer of the API) can make to the application that exposes the API. In this sense, the API is like a control panel that external consumers can use to send requests that retrieve information and manipulate the application. An API also defines the formats and conventions to be used when making a request. Lastly, an API supports application “pluggability” because it allows two applications written in different languages to integrate with each other.
Since an API gives access to potentially sensitive information and app controls, it’s important to secure the API to ensure that only the right consumers (users, clients, applications) have the right levels of access to the API. This is where API authentication/authorization comes into play.
Generally speaking, an API needs to authenticate/authorize the following types of consumers: (1) human users that access the API through a web-based client application or smartphone application; (2) applications that use API to interact with the application; or (4) an IoT component that is sending data back to another system or database.
Securing an API through authentication and authorization allows you to protect, limit, and control — not only the consumers that gain access to the API — but also their level of access. Here are three reasons why this kind of control is essential:
(1) Safeguards against mistakes, data breaches, malicious hacks, and other access-related problems by ensuring that only the right consumers have access to the right information and system controls.
(2) Allows you to limit the amount of data that gets transmitted to prevent attacks and/or prevent one API consumer from overburdening the system.
(3) Allows you to cut off access to a service after a subscription expires.
(4) Lets you control what happens after a failed authentication request. For example, you can block the failed request and send back an error code, or you can allow limited access to unauthenticated users.
An API gateway helps developers build systems consisting of multiple microservices and applications. It does this by serving two important roles, one of which relates to API Gateway authentication:
The first role of an API gateway is to managing API request traffic as a single point of entry. The API gateway sits in front of a group of APIs exposed by various apps and microservices. Applications and clients that want to use those APIs simply need to interact with the API gateway, which directs the calls and requests to the appropriate APIs and returns the responses. If you’re developing an application or enterprise architecture that consists of multiple apps and microservices, an API gateway minimizes your coding burden while giving your system immediate access to a wide variety of services, databases, and applications.
The second role of an API gateway is to managing API authentication/authorization tasks. This is where we come to API gateway authentication. Among the APIs that sit behind the API gateway, you should find APIs for a variety of authentication services (such as Okta, Active Directory, OpenID Connect, and OAuth-based authentication from Google, Facebook, Twitter, etc.). By integrating one of these services, the API gateway can authenticate and authorize external client requests, apply volume limits, and apply access controls to client requests (such read-only and role-based access to certain data and operations). Independently of these external services, an API gateway can also manage authentication itself with technologies like Basic Auth, API Key Authentication, LDAP, etc.
There are three primary advantages that API gateway authentication brings to the table:
First, the API gateway can bypass the need to develop authentication from scratch. The primary advantage of API gateway authentication is that it eliminates the need to develop an authentication solution from scratch because you can quickly incorporate the API gateway’s native authentication tools to secure access to the system that you used the API gateway to build.
Second, the API gateway allows you to delegate authentication/authorization tasks to a third-party solution. The API gateway can also delegate authentication to a third-party authentication solution while bypassing the need to write the code required to integrate this third-party solution. Developers simply cut and paste several lines of code that tell the API gateway to direct all authentication/authorization tasks through one of the authentication services in its API portfolio.
Third, API gateway authentication is convenient for end-users. API gateway authentication is also convenient from the app user’s perspective. For example, if users already have an account with the third-party authentication service being used, (Facebook, Google, Okta, Active Directory, etc.), they can breeze through most of the registration steps. Moreover, app administrators can quickly assign role-based access controls — like administrator, manager, or read-only access — for specific teams and team members.
When using DreamFactory for API gateway authentication, you can configure, integrate, and start using your authentication service in just a few minutes. Moreover, DreamFactory allows developers to quickly deploy a combination of authentication strategies when more than one type of authentication is required.
Below we’ve listed the most common API gateway authentication strategies. DreamFactory offers native support for all of these strategies.
Basic API Authentication allows API consumers to access services with a preassigned username and password. Basic Authentication checks the username/password combination against the Authorization and Proxy-Authorization request headers, which hold the credentials required to authenticate the user with the server or proxy server. As the easiest way to password-protect a web application, you can use DreamFactory to implement Basic Authentication for all HTTP and HTTPS API requests.
Key authentication strategies use an API key to give users access to specific types of information and services from an API. API Key authentication is commonly used to protect web applications, and it can be used for HTTP and HTTPS APIs. Developers can also use DreamFactory to configure API key authentication strategies that provide restricted access to an API when authentication fails.
As a vendor-neutral directory services protocol, LDAP (Lightweight Directory Access Protocol) is one of the most common user authentication frameworks used in enterprise architecture. Like the other authentication strategies on this list, integrating LDAP authentication into a DreamFactory-built application is as simple as cutting and pasting a few lines of code. Simply configure the solution in DreamFactory’s web-based administration console, insert the code, and DreamFactory manages the rest.
OAuth 2.0 is an authentication standard that divides access control into two separate functions: “authentication” and “authorization.” Authentication allows a system to verify the identity of a specific API consumer. Authorization allows the system to know what level of access to grant. After authenticating/authorizing a specific consumer, an OAuth 2.0 authentication service grants the appropriate levels of access to the consumer. OAuth is the most common standard used by third-party authentication solutions. It’s compatible with HTTPS API requests only.
OpenID Connect is a wrapper around OAuth 2.0 that allows you to quickly incorporate any external OAuth2.0/OpenID Connect authentication service into your DreamFactory-built applications. As a native DreamFactory integration, OpenID Connect makes it easy to integrate role-service-access, live API documentation, and other integration features into your applications. Once configured, DreamFactory stores all of the configuration settings within a secure database instance.
DreamFactory’s OpenID Connect service allows you to integrate a wide range of OAuth 2.0 access control services (like Okta, Facebook, Google, Twitter, Active Directory, and more). DreamFactory and OAuth 2.0 also allow you to issue temporary access tokens that eventually expire and need to be renewed.
Again, with DreamFactory’s web-based admin console, you can quickly configure these and other authentication strategies. Once configured, all you have to do is cut and paste a few lines of code to integrate the authentication solution into your DreamFactory-supported application.
In this section, we illustrate how API gateway authentication works by showing you the steps required to integrate a third-party authentication/authorization solution into a DreamFactory-based application.
For this step, you’ll go to Google’s OpenID implementation page. From there, log into Google’s API Console and create your OAuth2 credentials. Use the search field to find ‘OAuth.’ Select ‘Credentials’ from the dropdown that appears.
Select ‘Create credentials,’ then select ‘OAuth client ID.’
Now that you’ve created your OAuth 2.0 Google credentials, you’ll save the changes and set up the OpenID Connect service on DreamFactory.
Log into the DreamFactory admin console. Go to the ‘Services’ tab and click ‘Create’ on the left sidebar. Find the ‘Service Type’ dropdown. Choose ‘OAuth,’ and then choose OpenID Connect. Visit this link for more information about the fields on this form.
Next, you’ll select the “Config” tab, complete the service configuration form, and save your changes. When configuring the service, DreamFactory allows you to authorize API consumers, assign credentials to specific consumers, and limit access to anonymous consumers.
This completes the process of creating your new authentication service. Visit this link for more information about the fields on this form.
The next step involves creating a script that will complete the OAuth callback for a new session and generate a JSON web token (JWT) for the session. JWT is an open standard that allows you to securely transmit data as a JSON object. Since it is digitally signed, JWT information is verified and trusted.
Here you’ll refer to the redirection URI that you used when configuring the OpenID credentials on Google (referenced above).
This URI endpoint intercepts the Oauth callback parameters that get forwarded to DreamFactory, and it generates the JWT session token. On this page, you’ll find a sample PHP script that manages the process of returning the JSON object with the necessary JWT and user profile information (name, email, etc.). Adding a similar script to your application code lets your application retrieve the JWT that is defined in the session_token attribute. This JWT will be sent with subsequent API requests to authenticate/authorize the consumer.
Finally, you’ll add an image to your web app with an authentication link that looks something like this: “https://YOUR_DREAMFACTORY_SERVER.com/api/v2/user/session?service=YOUR_SERVICE_NAME.”
That’s it! Your third-party OpenID Connect authentication service is ready to use!
Here’s what it looks like to use the third-party authentication solution after incorporating it into your app.
The user clicks the authentication link which redirects to the Google OpenID authentication form.
The user enters a Google email/password combination and selects ‘allow’ to confirm the permissions that the app requires.
After selecting allow, Google sends the authorization information to the redirection URI. Next, the above-referenced script that you added to the application code forwards the information to DreamFactory and DreamFactory returns the session token to the script. Now, your application can persist the token, which it will include in further requests.
Now that you’ve read this far, you should have a clear understanding of the “what, why, and how” of API gateway authentication. As for which API gateway authentication solution to use, DreamFactory offers unmatched speed and the widest range of authentication options when it comes to incorporating an authentication solution into your applications. By empowering developers to integrate whatever authentication strategies they choose in a matter of minutes, DreamFactory allows you to blow through developmental delays and dramatically accelerate time to market.
If you’d like to know more about DreamFactory, contact our team and schedule a free hosted trial of DreamFactory now!
Join the DreamFactory newsletter list.