SlideShare a Scribd company logo

APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyuki Tabata (Hitachi)

apidays
apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Security Considerations for API Gateway Aggregation Yoshiyuki Tabata, Software Engineer, Hitachi, Ltd. ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1 of 34
Downloaded 16 times
© Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
© Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
© Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
© Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
© Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyuki Tabata (Hitachi)
Ad

Recommended

INTERFACE by apidays 2023 - How APIs are fueling the growth of 5G and MEC
INTERFACE by apidays 2023 - How APIs are fueling the growth of 5G and MECINTERFACE by apidays 2023 - How APIs are fueling the growth of 5G and MEC
INTERFACE by apidays 2023 - How APIs are fueling the growth of 5G and MEC
apidays
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
Hitachi, Ltd. OSS Solution Center.
 
API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)API Maturity Model (Webcast with Accenture)
API Maturity Model (Webcast with Accenture)
Apigee | Google Cloud
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
apidays
 
API Governance
API Governance API Governance
API Governance
Sunil Kuchipudi
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
Apigee | Google Cloud
 
英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要英国オープンバンキング技術仕様の概要
英国オープンバンキング技術仕様の概要
Tatsuo Kudo
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Gustavo De Vita
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
Apigee | Google Cloud
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
Doug Gregory
 
RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
OCTO Technology
 
API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
Tomasso Groenendijk
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
Daniel Toomey
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Kai Wähner
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
LunchBadger
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
Apigee | Google Cloud
 
API Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to MeasureAPI Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to Measure
Apigee | Google Cloud
 
API 101 - Understanding APIs
API 101 - Understanding APIsAPI 101 - Understanding APIs
API 101 - Understanding APIs
3scale
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHub
SmartBear
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
Ad

More Related Content

What's hot (20)

API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Gustavo De Vita
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
Apigee | Google Cloud
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
Doug Gregory
 
RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
OCTO Technology
 
API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
Tomasso Groenendijk
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
Daniel Toomey
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Kai Wähner
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
LunchBadger
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
Apigee | Google Cloud
 
API Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to MeasureAPI Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to Measure
Apigee | Google Cloud
 
API 101 - Understanding APIs
API 101 - Understanding APIsAPI 101 - Understanding APIs
API 101 - Understanding APIs
3scale
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHub
SmartBear
 
API for Beginners
API for BeginnersAPI for Beginners
API for Beginners
Gustavo De Vita
 
API Management in Digital Transformation
API Management in Digital TransformationAPI Management in Digital Transformation
API Management in Digital Transformation
Aditya Thatte
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
Architecting an Enterprise API Management Strategy
Architecting an Enterprise API Management StrategyArchitecting an Enterprise API Management Strategy
Architecting an Enterprise API Management Strategy
WSO2
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
Apigee | Google Cloud
 
API Strategy Introduction
API Strategy IntroductionAPI Strategy Introduction
API Strategy Introduction
Doug Gregory
 
RefCard API Architecture Strategy
RefCard API Architecture StrategyRefCard API Architecture Strategy
RefCard API Architecture Strategy
OCTO Technology
 
API Management in Azure
API Management in AzureAPI Management in Azure
API Management in Azure
Tomasso Groenendijk
 
Azure API Management
Azure API ManagementAzure API Management
Azure API Management
Daniel Toomey
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
Apigee | Google Cloud
 
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Open API and API Management - Introduction and Comparison of Products: TIBCO ...
Kai Wähner
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
LunchBadger
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays Paris 2022 - API design best practices, Ryan Clifford & Ros Bennis, F...
apidays
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Apigee Edge Product Demo
Apigee Edge Product DemoApigee Edge Product Demo
Apigee Edge Product Demo
Apigee | Google Cloud
 
API Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to MeasureAPI Best Practices Webinar: Metrics - What to Measure
API Best Practices Webinar: Metrics - What to Measure
Apigee | Google Cloud
 
API 101 - Understanding APIs
API 101 - Understanding APIsAPI 101 - Understanding APIs
API 101 - Understanding APIs
3scale
 
Enforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHubEnforcing Your Organization's API Design Standards with SwaggerHub
Enforcing Your Organization's API Design Standards with SwaggerHub
SmartBear
 

Similar to APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyuki Tabata (Hitachi) (20)

APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
Sai Koppala
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
Apigee | Google Cloud
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
Kumaresh Chandra Baruri
 
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN
kloia
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka
WSO2
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28
Boaz Ziniman
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdfApidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
apidays
 
APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...APIdays Paris 2019 - What are protected and secured by security requirements ...
APIdays Paris 2019 - What are protected and secured by security requirements ...
apidays
 
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security ProfileAPIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
APIdays Paris 2019 : Financial-grade API (FAPI) Security Profile
Hitachi, Ltd. OSS Solution Center.
 
APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...APIdays London 2020: Toward certifying Financial-grade API security profile w...
APIdays London 2020: Toward certifying Financial-grade API security profile w...
Hitachi, Ltd. OSS Solution Center.
 
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays LIVE LONDON - Toward certifying Financial-grade API profile with Keyc...
apidays
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...
Atlassian
 
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachiapidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays Paris 2022 - Securing APIs in Open Banking, Takashi Norimatsu, Hitachi
apidays
 
API Best Practices
API Best PracticesAPI Best Practices
API Best Practices
Sai Koppala
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
Kasun Indrasiri
 
API-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & IntegrationAPI-first, going beyond SOA, ESB & Integration
API-first, going beyond SOA, ESB & Integration
Apigee | Google Cloud
 
Authlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API EconomyAuthlete: API Authorization Enabler for API Economy
Authlete: API Authorization Enabler for API Economy
Tatsuo Kudo
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API Gateway
Kumaresh Chandra Baruri
 
Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN
kloia
 
2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka2013 02-apache conna-api-manager-asanka
2013 02-apache conna-api-manager-asanka
WSO2
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
Hitachi, Ltd. OSS Solution Center.
 
Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28
Boaz Ziniman
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
Hitachi, Ltd. OSS Solution Center.
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdfApidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
Apidays London 2024 - From Fragmentation to Federation, Peter Mörsch, Boomi.pdf
apidays
 
Ad

More from apidays (20)

apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays
 
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays
 
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays
 
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays
 
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
apidays
 
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmaticapidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays
 
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays
 
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBSGreen IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
apidays
 
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays
 
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
apidays
 
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays
 
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays
 
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays
 
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consultingapidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays
 
apidays Paris 2024 - Advanced API Management and Operations A Develope
apidays Paris 2024 - Advanced API Management and Operations A Developeapidays Paris 2024 - Advanced API Management and Operations A Develope
apidays Paris 2024 - Advanced API Management and Operations A Develope
apidays
 
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays
 
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays
 
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays
 
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays
 
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
apidays
 
apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays Paris 2024 - AI-Enhanced API Documentation Bridging Knowledge Gaps an...
apidays
 
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays Paris 2024 - AI Adoption - Engaging Minds, Developing Skills, Deliver...
apidays
 
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays Paris 2024 - Design, Debug, Test and Mock APIs with Kong Insomnia, Pi...
apidays
 
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays Paris 2024 - Generate OpenAPI Schema from Golang Code with the Fuego ...
apidays
 
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
Green IO Conference at apidays Paris 2024 - Meeting or Missing Targets? Data ...
apidays
 
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmaticapidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays Paris 2024 - Project API Forge, Naresh Jain, Specmatic
apidays
 
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays Paris 2024 - How API Help to Better Serve Clients at Allianz Trade, M...
apidays
 
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBSGreen IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
Green IO Conference at apidays Paris 2024 - TOSS In Some AI, Pindy Bhullar, UBS
apidays
 
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays Paris 2024 - Embeddings: Core Concepts for Developers, Jocelyn Matthe...
apidays
 
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
Green IO Conference at apidays Paris 2024 - What's Behind Avoided Emissions, ...
apidays
 
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays Paris 2024 - Governance of Event-Driven Distributed Systems, Omid Ei...
apidays
 
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays Paris 2024 - Contract-Driven Development for Event-Driven Architectur...
apidays
 
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays Paris 2024 - 7 Rules for Crafting Developer-Friendly API Libraries, B...
apidays
 
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consultingapidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays Paris 2024 - Tackling OpenAPI Drift, Ikenna Nwaiwu, Ikenna Consulting
apidays
 
apidays Paris 2024 - Advanced API Management and Operations A Develope
apidays Paris 2024 - Advanced API Management and Operations A Developeapidays Paris 2024 - Advanced API Management and Operations A Develope
apidays Paris 2024 - Advanced API Management and Operations A Develope
apidays
 
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays Paris 2024 - Develop in Parallel and Ship Earlier with OpenAPI and Mo...
apidays
 
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays Paris 2024 - Make Your LLM Infrastructure Serverless, Guillaume Blaqu...
apidays
 
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays Paris 2024 - Modularizing your API with Domain Storytelling Henning S...
apidays
 
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays Paris 2024 - Establishing a Specification Framework for API Managemen...
apidays
 
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
Green IO Conference at apidays Paris 2024 - The Internet is Getting Emptier;...
apidays
 
Ad

Recently uploaded (19)

White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 
White and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptxWhite and Red Clean Car Business Pitch Presentation.pptx
White and Red Clean Car Business Pitch Presentation.pptx
canumatown
 
project_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptxproject_based_laaaaaaaaaaearning,kelompok 10.pptx
project_based_laaaaaaaaaaearning,kelompok 10.pptx
redzuriel13
 
OSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description fOSI TCP IP Protocol Layers description f
OSI TCP IP Protocol Layers description f
cbr49917
 
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...Mobile database for your company telemarketing or sms marketing campaigns. Fr...
Mobile database for your company telemarketing or sms marketing campaigns. Fr...
DataProvider1
 
Determining Glass is mechanical textile
Determining Glass is mechanical textileDetermining Glass is mechanical textile
Determining Glass is mechanical textile
Azizul Hakim
 
Computers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers NetworksComputers Networks Computers Networks Computers Networks
Computers Networks Computers Networks Computers Networks
Tito208863
 
DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)DNS Resolvers and Nameservers (in New Zealand)
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Understanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep WebUnderstanding the Tor Network and Exploring the Deep Web
Understanding the Tor Network and Exploring the Deep Web
nabilajabin35
 
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation TemplateSmart Mobile App Pitch Deck丨AI Travel App Presentation Template
Smart Mobile App Pitch Deck丨AI Travel App Presentation Template
yojeari421237
 
Best web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you businessBest web hosting Vancouver 2025 for you business
Best web hosting Vancouver 2025 for you business
steve198109
 
(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security(Hosting PHising Sites) for Cryptography and network security
(Hosting PHising Sites) for Cryptography and network security
aluacharya169
 
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 SupportReliable Vancouver Web Hosting with Local Servers & 24/7 Support
Reliable Vancouver Web Hosting with Local Servers & 24/7 Support
steve198109
 
highend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptxhighend-srxseries-services-gateways-customer-presentation.pptx
highend-srxseries-services-gateways-customer-presentation.pptx
elhadjcheikhdiop
 
IT Services Workflow From Request to Resolution
IT Services Workflow From Request to ResolutionIT Services Workflow From Request to Resolution
IT Services Workflow From Request to Resolution
mzmziiskd
 
5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx5-Proses-proses Akuisisi Citra Digital.pptx
5-Proses-proses Akuisisi Citra Digital.pptx
andani26
 
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry SweetserAPNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC Update, presented at NZNOG 2025 by Terry Sweetser
APNIC
 
Perguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolhaPerguntas dos animais - Slides ilustrados de múltipla escolha
Perguntas dos animais - Slides ilustrados de múltipla escolha
socaslev
 
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHostingTop Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
Top Vancouver Green Business Ideas for 2025 Powered by 4GoodHosting
steve198109
 
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC -Policy Development Process, presented at Local APIGA Taiwan 2025
APNIC
 

APIsecure 2023 - Security Considerations for API Gateway Aggregation, Yoshiyuki Tabata (Hitachi)

  • 1. © Hitachi, Ltd. 2023. All rights reserved. Security Considerations for API Gateway Aggregation APIsecure 2023 Hitachi, Ltd. Yoshiyuki Tabata Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 2. 1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Software Engineer  Hitachi, Ltd.  GitHub: @y-tabata
  • 3. © Hitachi, Ltd. 2023. All rights reserved. Contents 2 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 4. © Hitachi, Ltd. 2023. All rights reserved. Contents 3 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 5. 4 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management API GW API API Authz Server own service API call API call API call issue token • “API management” is required when providing multiple APIs, considering the operational aspect. • In this case, luxurious API management is not necessary, but “Minimum” API Management is sufficient that provides only an API Gateway and an Authorization Server, especially for small-start projects.
  • 6. 5 © Hitachi, Ltd. 2023. All rights reserved. “Minimum” API Management Introduction to “Minimum” API Management NGINX API API Keycloak own service API call API call API call issue token • For example, this “Minimum” API Management can be built with only Keycloak and NGINX.
  • 7. 6 © Hitachi, Ltd. 2023. All rights reserved. Major features  Provide support for OAuth 2.0, OpenID Connect and SAML.  Connect to existing LDAP or Active Directory servers.  Login with social networks. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. Based on Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect SAML GitHub Twitter Facebook User Federation Social Login
  • 8. 7 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • In the case company provides multiple services, multiple minimum API management systems exist in-house together. “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token “Minimum” API Management API GW API API Authz Server own services API call API call API call issue token
  • 9. 8 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • Recently, use cases for exposing APIs outside the company become popular, such as providing APIs to 3rd-party applications and the spread of remote work. • Existing APIs may not be exposed outside the company without changes because of low-level security and usability. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 10. 9 © Hitachi, Ltd. 2023. All rights reserved. Common issue for companies providing multiple services • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work outside the company API call ? 3rd party apps
  • 11. 10 © Hitachi, Ltd. 2023. All rights reserved. Proposal: API GW Aggregation • At a minimum, the following points should be considered when exposing APIs. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users -> Build API GW Aggregator in front of API GWs. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 12. © Hitachi, Ltd. 2023. All rights reserved. Contents 11 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 13. 12 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 14. 13 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 15. 14 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum security (API authorization, OWASP Top 10) • API authorization -> Authorization server based on OAuth 2.0 • OWASP Top 10 -> WAF (Web Application Firewall) API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps API GW Aggregator Authz Server API call API call issue token API call API call + WAF issue tokens using OAuth2 authz code grant verify issuer, audience, expiration, revocation
  • 16. 15 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This chapter considers how to meet requirements with API GW Aggregation, especially focusing on the API authorization perspective. • Minimum security (API authorization, OWASP Top 10) • Minimum impact on services provided to existing users API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps outside the company API GW Aggregator API call API call API call API call
  • 17. 16 © Hitachi, Ltd. 2023. All rights reserved. ✔ ✔ ✔ How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in API GW Aggregator and that of each own services in individual API GW works with no problems because using their dedicated authz servers. API GW API API Authz Server own services API call API call API call issue token API GW API API Authz Server own services API call API call API call issue token remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call
  • 18. 17 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. API GW API API Authz Server API call API call API GW API API Authz Server API call API call remote work 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call API call API call API call
  • 19. 18 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 20. 19 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> If API GW Aggregator reuses the access token from the external app sends, individual API GW needs to deal with tokens issued by multiple AS. -> We should avoid this situation because it extends the surface of possible attacks such as IdP mix-up attacks and may have an impact on own services. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) own services issue token API call using the same access token MUST deal with tokens issued by multiple AS.
  • 21. 20 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS.
  • 22. 21 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • Minimum impact on services provided to existing users • API authorization of external applications in individual API GW is complex. -> Instead, API GW Aggregator exchanges tokens in each API GW's AS. (cf. RFC 8693 OAuth 2.0 Token Exchange) -> Token translation such as exchanging lightweight access tokens*1 with more claims-packed access tokens can be realized and can protect privacy. API GW API API Authz Server API call API call 3rd party apps API GW Aggregator (w/ WAF) Authz Server issue token API call (w/ access token) API call (w/ access token) token exchange using the different access token deal with tokens issued by only one AS. lightweight access tokens *1: an assertion-based access token w/o privacy information or a handle-based access token
  • 23. 22 © Hitachi, Ltd. 2023. All rights reserved. How to meet requirements with API GW Aggregation • This API GW Aggregator also can be built with Keycloak and NGINX. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange NGINX App Protect (WAF) protect each API individually using OpenAPI specs.
  • 24. © Hitachi, Ltd. 2023. All rights reserved. Contents 23 1. Introduction to API Gateway Aggregation 2. Security Considerations for API Gateway Aggregation 3. Advanced use cases of API Gateway Aggregation
  • 25. 24 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • When publishing APIs that give access to highly sensitive data or that can be used to trigger highly important transactions, the system needs to support a highly secured OAuth profile such as FAPI (Financial-grade API) security profile. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange provide highly sensitive data
  • 26. 25 © Hitachi, Ltd. 2023. All rights reserved. What is FAPI • Financial-grade API (FAPI) security profile requires a high level of security based on OAuth 2.0, used as a protocol for "API Authorization" and OpenID Connect (OIDC), used as a protocol for "SSO". It defines secure usage of OAuth 2.0 and OIDC to apply to APIs in any market area. Financial-grade API Security Profile 1.0 Part 2: Advanced RFC 7519: JSON Web Token (JWT) RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 6819: OAuth 2.0 Threat Model and Security Considerations RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6749: The OAuth 2.0 Authorization Framework OpenID Connect Core 1.0 RFC 8705: OAuth 2.0 Mutual- TLS Client Authentication and Certificate-Bound Access Tokens RFC 9126: OAuth 2.0 Pushed Authorization Requests Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
  • 27. 26 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: access to highly sensitive data • To support FAPI, the authz server, the client application, and the resource server all must meet FAPI requirements. -> API GW Aggregator built with Keycloak and NGINX can support FAPI. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange Hitachi publishes a certified implementation of FAPI RP. https://github.com/Hitachi/hitachi-fapi-java provide highly sensitive data
  • 28. 27 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To protect from a domino effect, where one compromised API compromises multiple other critical components, implement a zero-trust network. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange compromised API
  • 29. 28 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Establishing mTLS connections between NGINX, and validating the access token (JWT) in cooperation with Keycloak. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS + JWT) issue token issue token token exchange token exchange NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS + JWT) API call (mTLS + JWT) compromised API API call (mTLS + JWT) Keycloak supports policy decision and policy administration
  • 30. 29 © Hitachi, Ltd. 2023. All rights reserved. Advanced use case: zero-trust network • To implement a zero-trust network, mutual TLS (mTLS) and JWT validation are the essential technology. -> Complicated certificate management for mTLS is reduced by integrating with Vault. NGINX API API Keycloak own services NGINX API API Keycloak own services remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak issue token API call (mTLS) issue token issue token token exchange token exchange Vault NGINX NGINX NGINX NGINX NGINX NGINX API call (mTLS) API call (mTLS) API call (mTLS) compromised API real-time Vault certificate-issuing requests and the dynamic certificate-loading feature in NGINX Plus.
  • 31. 30 © Hitachi, Ltd. 2023. All rights reserved. Other advanced use cases • There are many other advanced use cases. The below are for different types of clients. API GW API API Authz Server own services API call API call API GW API API Authz Server own services API call API call remote work 3rd party apps NGINX Plus (w/ NGINX App Protect) Keycloak API call API call issue token API call API call issue token issue token token exchange token exchange For native apps, issue client credentials via dynamic client registration endpoint For browser-based apps, behave as BFF (backend for frontend) handling the full authz flow and managing tokens.
  • 32. 31 © Hitachi, Ltd. 2023. All rights reserved. Summary  We proposed “API GW Aggregation”  can expose APIs outside the company  with minimum security and  minimum impact on services provided to existing users.  the underlying technologies are OAuth2, WAF, and token exchange.  can be built with Keycloak and NGINX.  supports advanced use cases such as FAPI and zero-trust networks. Slides are available at https://www.slideshare.net/ssuserbeb7c0
  • 33. 32 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.