|
API Security entails authenticating programs or users who are invoking an api. With ease of API integrations comes the difficult part of ensuring proper AUTHN (authentication) and AUTHZ (authorization). In a multi tenant environment, proper security controls need to be put in place to only allow access on "need to have access basis" based on proper AUTHN and AUTHZ. Appropriate AUTHN schemes enable producers (API's or services) to properly identify consumers (clients or calling programs) and to evaluate their access level (authz). In other words, can a consumer invoke a particular method (business logic) based on credentials presented? "Interface design flaws are widespread, from the world of crypto processors through sundry embedded systems right through to antivirus software and the operating system itself." == Method of Authentication and Authorization == Most common methods for authentication and authorization include. # Static strings: These are like passwords that are provided by API's to consumers. # Dynamic tokens: These are time based tokens obtained by caller from a authentication service. # User Delegated Tokens: These are tokens such as OAuth which are granted based on user authentication. The above methods provide different level of security and ease of integration. Often times, the easiest method of integration also offers weakest security model. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「API Security」の詳細全文を読む スポンサード リンク
|