Skip to content
This repository has been archived by the owner on Nov 13, 2021. It is now read-only.

Provide guidance on security #83

Open
MassimoC opened this issue Jan 23, 2019 · 5 comments
Open

Provide guidance on security #83

MassimoC opened this issue Jan 23, 2019 · 5 comments
Assignees
@gverstraete
Labels
guidance maturity-level:two must-have

Comments

@MassimoC
Copy link
Collaborator

MassimoC commented Jan 23, 2019
edited
Loading

Secure the API access
+ Apikey
+ Ip Filtering
+ Certificate
+ OAuth token (from IDP)
+ MSI (managed identity)
+ ...
@fgheysels
Copy link
Contributor

I'm trying to put my 2 cents here, don't shoot if I get it wrong :)

  • I would see the protection of an API with an API key and with IP filtering in combination with APIM, where you secure the API via IP filtering so that it can only be called via APIM.

  • How far do you want to go for the Certificate security (I suppose you're talking about mutual authentication here) ? I think this is something that will eventually end up in Arcus, so are you going to refer to Arcus here ?

  • I think it is a good idea to set up a sample on how to protect the API using IdentityServer. Have a client application that consumes the client; allow the user to login and have maybe different roles so that certain operations are allowed by role X and others not ?

@tomkerkhove
Copy link
Contributor

Those sound like good suggestions if you ask me, but personally would split this item into an issue per type of security and take it piece by piece and determine the maturity level per approach.

Agree on all of the above where api key and identity server would be most important to me

@MassimoC
Copy link
Collaborator Author

MassimoC commented Mar 9, 2019

Following the proposal of Frederik, can the guideline be something like this?

If you need to limit the access to the API

  • use a Shared Access Key (api key) + IP filtering
  • If it's required to use X509 client authentication, use Arcus.
  • If there is already an authorization server in place, consider to use OAuth2 with client_credentials flow

If you need give access to one or more applications on behalf of users

  • use OAuth2 (access token) with the scope validation at operation level (e.g. scopes order:read, order:modify)

@tomkerkhove
Copy link
Contributor

This assumes that you have an API gateway, which is not always the case. I personally find IP filtering a more advanced scenario as this is not always possible.

In terms of Shared Access Key & X509 client authentication, I would start with Shared Access Key and if there is a strong requirement and/or a gateway present use X509 client authentication instead.

Tagging Arcus Security issues for observability:

@tomkerkhove
Copy link
Contributor

Attributes are now available btw

@tomkerkhove tomkerkhove assigned gverstraete and unassigned fgheysels Aug 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gverstraete gverstraete

Labels
guidance maturity-level:two must-have
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fgheysels @tomkerkhove @MassimoC @gverstraete