3. Gateway Pattern - Benefits
• Decouple
clients
from
the
actual
API
implementation
• No
point-‐to-‐point
to
connection
• Centralized
security
enforcing
• Centralized
auditing
&
monitoring
• Version
controlling
8. TLS Mutual Authentication
§ Gateway
itself
does
the
certificate
validation
§ Fine-‐grained
access
validations
can
be
done
by
the
authorization
server.
curl -k --cert client.pem https://localhost:8443/recipe
18. OAuth & XACML
§ A given access token has a scope associated with it and it
governs the access token’s capabilities
§ A user delegates access to his Facebook profile to a third party,
under the scope “user_activities”. This provides access to the
user's list of activities as the activities’ connection. To achieve
fine-grained access control, this can be represented in an XACML
policy.
§ token=gfgew789hkhjkew87
resource_id=GET https://graph.facebook.com/prabathsiriwardena/activities
24. User Managed Access
• PAT
(Protection
API
Token)
:
Token
issued
to
the
Resource
Server
to
access
the
Protection
API
(Authorization
Server)
with
the
approval
of
the
Resource
Owner.
• AAT
(Authorization
API
Token)
:
Token
issued
to
the
Client
to
access
the
Authorization
API
(Authorization
Server)..
• RPT
(Requesting
Party
Token)
:
Token
issued
to
the
Client
to
access
the
Protected
Resource
on
behalf
of
the
Requesting
Party
by
the
Authorization
Server.