Securing APIs Using SecureDB Encrypted Identity Manager

So, you are building a new RESTful APIs and want your customers to build against these APIs. Or you have an appliance that you will ship to customer location which will call your APIs routinely.

In both of these scenarios, you want your customers (who are API clients) to authenticate before invoking protected APIs. Plus you also want to ensure that proper access control (authorization) is in place to ensure that the API clients can only call APIs they are authorized to invoke. In case of multi-tenant APIs, you also want to ensure that data is completely segregated.

SecureDB’s Encrypted IdM can act as Identity server for your APIs, saving you time and bringing in efficiency. This post delves into how to protect your APIs.

Using SecureDB Encrypted IdM to protect APIs

API Client is a RESTful API client written to consume Your REST APIs. With SecureDB (Encrypted) Identity Manager (IdM) managing your API keys and other customer information Your REST APIs calls SecureDB (Encrypted) Identity Manager (IdM) to authenticate the API Client or to make authorization decisions.

Create API Keys

For every new customer, you may issue one or more API Keys (that is API Key and API Secret combination). This can be done by simply calling the /quickregister API as shown below.

Note: The URL will be different if you are using SecureDB Enterprise, our on-prem solution.

In the snippet above, we just created API Key and API Secret in SecureDB’s Encrypted IdM. You can pass this to your customer in a secure way. In a real life scenario, you may have a portal that let’s your customers download their API Key and API Secret. In that case, your portal would call the /quickregister API to create credentials. This API’s response has the UUID of the API Key:

Client Authentication

Let’s assume that your APIs require your API clients to authenticate. You could ask your API clients to send API Key and API Secret combination during every call. If that’s the case, from your API code, simply pass the API Key and API Secret to be validated against SecureDB’s Encrypted IdM.

If the authentication is successful, SecureDB Encrypted IdM will send back 200 OK response. This will be your indication that you can serve the client’s request.

Instead of asking your API client to send API Key and API Secret with every request, you could ask the client to send pair only the first time. You could use the above API to authenticate the request, but instead return a JSON Web Token (JWT) to your API client. SecureDB Encrypted IdM supports JWT and can be used to authenticate subsequent API requests.

To make SecureDB Encrypted IdM return JWT upon authentication, simply call the /authentication method without the Authorization header. The JWT is returnd by SecureDB Encrypted IdM as part of response header:

You can pass this JWT to the API client and expect the client to send this token as part of every request. By default, this JWT is valid for 60 minutes (this time is configurable). Now, when your API client sends this JWT back to you, you can check the validity of the JWT yourself. To do this, you need to be able to make sure that the JWT was not tampered by the API client. In order to validate, you need to get the secret key that was used to construct the JWT signature. The secret key would act as a shared secret between your APIs and SecureDB Encrypted IdM.

Client Authorization

Now, let’s add authorization (access control) into the mix. SecureDB Encrypted IdM supports Roles and hence can aid you in implementing effective Role Based Access Control (RBAC).
Let’s now add a role to the API Key created earlier:

Now the API Key you issued earlier has a Role associated called admin. Now, let’s assume you want a certain API of yours to be accessible only by customer API Keys that have the Role called admin. You’ll be glad to know that SecureDB Encrypted IdM puts the Role into the JWT payload. So, after you validate the incoming JWT, you can pull the Role from JWT and make your authorization decision.

Lock the API Key

Now, let’s say one of your API client is misbehaving. Or hasn’t paid you money and you want to lock the API Key temporarily. This is easy too:

All the subsequent authentication calls will fail until you unlock your customer’s API key. Similarly you can delete the API Key too. For a full list of APIs available, click here. To try the APIs, use our API Playground tool.

Summary

In short, SecureDB Encrypted IdM can not only be used as a secure Identity Manager for your Web applications. It can also form the back bone of your API strategy. Your APIs have the same Identity Management requirements as your Web applications. This is where SecureDB Encrypted IdM shines.

Securing APIs Using SecureDB Encrypted Identity Manager

Leave a Reply

Your email address will not be published. Required fields are marked *