In an interconnected computing world, APIs are essential for sharing programmatic functionality. Of course, this includes internal APIs from the same company that built the web application accessing them. External APIs provided by a third party are also accessed by web apps or even other APIs. Notably, many web applications simply serve as a front end to various APIs containing the app's functionality.
Not surprisingly, APIs are an attractive target for unethical hackers and other cybercriminals. An unsecured API offers a window to extract private corporate data. As a result, implementing some form of web API authentication becomes critical. Enter OAuth 2.0, which effectively serves as the modern standard for the authorization of access to APIs.
Let's examine OAuth 2.0 in more detail and provide insights on using it for web API authentication. We also cover a few best practices on web API authorization, ensuring secure usage of both internal and external APIs. Remember, Duende IdentityServer provides a flexible framework for implementing OAuth 2.0 and OpenID Connect (OIDC) with ASP.NET Core applications. It gives you full control of your application's business rules, UX, and data.
A Closer Look at OAuth 2.0
Here's a quick overview of OAuth 2.0, providing background on this authorization standard in web APIs. Basically, OAuth 2.0 offers the means for users to delegate application access to APIs and other resources without sharing credentials. When a user logs in to an application, typically with OIDC, access tokens are generated and used downstream for authorization. The flexibility of OAuth 2.0 ensures those tokens authorize access to both internal and external APIs and resources.
Access tokens typically have limited lifetimes and expire after a certain period. They also don't include the user's credentials, offering enhanced security to web apps. Tokens stored within a browser remain a critical security hole, requiring a proactive cybersecurity approach like the BFF pattern.
OAuth 2.0 includes a massive specification covering a wide array of use cases. For this article, we will focus on using it to secure the APIs used in a web application. If interested in learning more about the specification in general, check out these resources provided by the IETF.
The Benefits of Using a Central Identity Provider with OAuth 2.0
Let's explore some of the most important benefits of securing web APIs with OAuth 2.0. When using OAuth 2.0 for API authorization, the user first logs in to a central identity provider (IdP). After all, authenticating users remains a key aspect of any web API authentication process. These IdPs are typically compliant with the OpenID Connect standard. Duende IdentityServer provides a framework supporting both OAuth 2.0 and OIDC, perfect for ASP.NET Core applications.
- Centralized Protection: A centralized IdP requires only one platform to securely authenticate and authorize users, compared to architectures using multiple servers for authentication and authorization. It also provides one location for enabling, disabling, and analyzing API access.
- A Focus on Authentication: An IdP focused on login and authentication functionality, with a common interface is easier for developers to implement. It also builds trust with users by leveraging a common UI.
- Easier IdP Maintenance and Enhancements: A single point for authentication also facilitates maintenance and the implementation of new features. This enables downstream APIs using access tokens to benefit from modern security techniques, such as multi-factor authentication (MFA).
Important Core OAuth 2.0 Specifications for Securing Web Applications and APIs
While OAuth 2.0 contains multiple specifications covering many aspects of authorization, a few stand out for their importance. Knowing these specs ultimately helps your understanding of how OAuth 2.0 protects access to web APIs. Let's take a closer look:
- RFC 6749: This spec defines the authorization flows that comprise a key piece of the OAuth 2.0 functionality. After a user is authenticated, the process generates an authorization grant, which is used to obtain an access token. Check out the IETF specification documentation for additional details.
- RFC 6750: Access tokens are the major topic of the RFC 6750 specification. In most cases, they are used as bearer tokens for accessing protected resources, such as web APIs. Explore the IETF documentation for useful insights and best practices for adopting RFC 6750.
- RFC 7519: The JSON Web Token (JWT) format used for access tokens is defined in the RFC 7519 spec. We cover the JWT in more detail in the next section.
Strategies for Securing Web-based APIs using OAuth 2.0
Using OAuth 2.0 for web API authentication is ultimately a straightforward effort. A first step for securing APIs involves requiring users to log in to the application, if relevant. This authentication functionality leverages a centralized IdP compliant with the OAuth 2.0 specification. The process generates the access token used for authorization to any APIs used by that application.
The OAuth grant includes a workflow that generates an access token detailing the scope of what the authenticated user can do. Note that the user in question might be a human or another entity, like a component running on another system. Additionally, the token also includes an expiration time denoting how long the token and the data it contains remain in force. Adopting the backend for frontend pattern also means these tokens also aren't stored in the web browser, enhancing their security.
Access tokens are stored in a variety of formats. The JWT format, which stands for JSON Web Token, is required as part of the OpenID Connect specification. The format includes a header combined with a body containing key-value pairs detailing information for the authenticated user. The header contains data identifying the token type and its signature, used to verify it hasn't been tampered with. The top security frameworks supporting OAuth 2.0, like IdentityServer, handle token validation and verification automatically.
Duende IdentityServer provides a Framework to Secure Web APIs with OAuth 2.0
If you want to secure your company’s ASP.NET Core web applications and APIs, try Duende IdentityServer. It provides a standards-compliant solution for web API authentication, serving as a seamless framework for OpenID Connect and OAuth 2.0. Building a strong security footprint for your ASP.NET Core apps is easier than ever!