chapter eleven

11 Authorization for APIs

This chapter covers

Why API authorization is difficult in a microservices environment
Three enforcement patterns for internal APIs: gateway, service mesh, and per-service proxies
How OAuth allows delegated access without sharing passwords
OAuth’s Authorization Code Grant and the Client Credentials Grant
How access tokens are integrated with Cedar for fine-grained authorization

APIs serve as the connective tissue for modern digital systems. Every mobile app, SaaS product, and microservice relies on APIs to transfer data and initiate operations across organizational and technical boundaries. That widespread use makes API security a critical concern. If APIs are left too open, they become vulnerable to misuse or attack. Conversely, if they are overly restricted, they hinder the integrations and workflows that make modern software ecosystems possible. Authorization for APIs has to balance two requirements:

Internal enforcement: ensuring only authorized services and employees can access sensitive endpoints within an organization’s own systems
External delegation: providing customers with secure and managed methods for third-party apps to access APIs on their behalf

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11 Authorization for APIs

This chapter covers

11.1 Authorization in a microservices world

11.1.1 Pattern 1: API gateway as enforcement point

11.1.2 Pattern 2: Service mesh with sidecar enforcement

11.1.3 Pattern 3: Per-service proxies

11.1.4 Comparing enforcement patterns

11.1.5 Other enforcement patterns

11.2 Authorization for external access to APIs

11.2.1 The OAuth protocol and roles

11.2.2 OAuth scopes

11.2.3 Acquiring OAuth tokens

11.2.4 Using OAuth tokens

11.3 From microservices to third parties: One policy story

11.4 Summary