Please enable JavaScript.
Coggle requires JavaScript to display documents.
API Security Architect - Coggle Diagram
API Security Architect
-
-
API threat Mitigation
-
-
Rate Limiting
Restrict number of request based on
IP, Identity & Resource Target
-
-
-
-
Scenarios
When an Client registers itself with an API, What elements are exchanged at the minimum?
The Client App Provides 1) Client App Name & 2) Callback URL. The API then returns the Client APP ID and Client Secret
-
4 Grant Types
Authorization Code
USE CASE:
Web Application needing scoped access to a resource server on behalf of an end user whose identity must remain private.
How It Works
The client exchanges and authorization code for an access token
Bottom Line
Resource Owner's credentials are never shared with the client
Access Token is never shared with the resource owner.
Implicit
USE CASE
Java script based web application (Single Page Apps)
:forbidden: Where client secret cannot be shared or stored.
How It Works
The client is issued an access token instead of an authorization code. The grant type is implicit since there is not intermediate credential such as authorization code are issued. The authorization server does not authenticate the client.
:small_orange_diamond: The client is issues an access token directly in the return URL.
Bottom Line
Simpler to implement but requires additional customization on the client app to enhance security.
:small_orange_diamond: Recommended for internal apps and not for external apps or enterprise-grade applications.
: :
-
Client Credentials
USE CASE
Non Interactive apps like CLI, Deamon
How It Works
Authorization Scope is limited to the protected resources under the client's control or as previously arranged with the authorization server.
Should used only for confidential clients, or internal client contained within vpn or corporate network
Bottom Line
Must only be used for confidential clients
-
Json Web Token
WHAT
-
Part of Javascript signing and encryption framework
JWT(JSON Web Token)
JWS(JSON Web Signature)
JWE(JSON Web Encryption)
JWA(JSON Web Algorithm)
JWK(JSON Web Key)
-