API Integration and security
18 views
Skip to first unread message
Praveen Inja
Apr 17, 2021, 5:30:54 PM4/17/21
to Hypermedia Web
Above are a couple high level integration options, in general, for Partner and MyBusiness integration (OIDC and API consumption)
Questions:
1) For Option 1, what would be the best practices around securing My Business API?
2) For Option , what would be the best practices around securing My Business API?
3) In general, which option is more preferred when it comes to partner and myBusiness integration?
Thanks much for your feedback!
Best,
Praveen.
mca
Apr 17, 2021, 7:34:54 PM4/17/21
to hyperme...@googlegroups.com
Praveen:
not sure what you're aiming for but here are a few comments:
It looks like you're moving the trust boundary here. in the first example, the app needs to validate both the app and the user identities (via OKTA) before exchanging messages w/ the "MyBusiness" service. in the second example, i looks like there is some implicit trust between the app and some intermediate layer (labeled "partner mobile app" in the diagram, but i think you mean something else?) and this secondary layer needs to validate w/ OKTA before passing *that* token to your mobile app.
if i have this right, i don't recommend the second option. in fact, i'm not even sure the second option is valid (a middleware component getting the OKTA token and passing that token to some other app that then replays the token to your MyBusiness component). and even if it does work, it seems very unsecure (why does your service trust some app that has not talked to OKTA but is using an OKTA token?)
in my work, any app that wants to talk to one of my services, needs to do their own validation work and pass the results to my service where my service validates against the IDP before anything else happens.
hope this helps.
Mike Amundsen
APIs, Microservices, and Digital Transformation
7310 Turfway Rd. Suite 550, Florence, KY, 41042
--
You received this message because you are subscribed to the Google Groups "Hypermedia Web" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hypermedia-we...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hypermedia-web/13e0d125-ebeb-40e4-acbe-148e41f5d620n%40googlegroups.com.
Praveen Inja
Apr 17, 2021, 8:33:28 PM4/17/21
to Hypermedia Web
Sorry. Looks like I had a typo in option#2. Below is the updated diagram:.
Option 2 is what some folks on my end are wanting to move forward with as,
i) all the calls coming from partner mobile app (not our mobile app/less trusted app) can come via Partner's backend server so that it will help enforce IP source restriction.
ii) Another reason they are pushing for option 2 is that the partner backend server can now sign every request with an HMAC signature that MyBusinessService can validate
mca
Apr 18, 2021, 12:10:49 AM4/18/21
to hyperme...@googlegroups.com
others on this list might hafe a more solid security background than I (quite likely) so, take my comments in that light.
if you want to set up a trust relationship w/ the partner backend server, that's fine. but i'd keep the trust relationship limited to the partner/business connection.
that means i would not take any responsibility for trusting the mobile app that talks to the partner server -- that would be up to the partner to work out.
Mike Amundsen
APIs, Microservices, and Digital Transformation
7310 Turfway Rd. Suite 550, Florence, KY, 41042
To view this discussion on the web visit https://groups.google.com/d/msgid/hypermedia-web/48168821-82bb-4857-9aac-a4692837d576n%40googlegroups.com.
Praveen Inja
Apr 18, 2021, 12:55:40 AM4/18/21
to Hypermedia Web
Thanks Mike for your feedback.
My preference is to not do option 2 as it causes additional work for partners.
I am trying to understand if Option 1 is used by others and how does option 1 address some of the security concerns like DDoS etc? (Option 2 lets you solve DDoS via IP source restriction as all the calls come from a selected set of partner backend servers)
mca
Apr 18, 2021, 8:02:01 AM4/18/21
to hyperme...@googlegroups.com
DDos is still possible from mobile apps to the partner backend. you can mitigate DDos by using api-keys for mobile apps and inspect/throttle traffic at an API gateway that sits in front of your MyBusiness server.
Mike Amundsen
APIs, Microservices, and Digital Transformation
7310 Turfway Rd. Suite 550, Florence, KY, 41042
To view this discussion on the web visit https://groups.google.com/d/msgid/hypermedia-web/d9e1a807-5baf-4d48-8779-7e30d8118734n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages