Three Approaches for OAuth 2 Access Token Usage One key question we explore in this blog post series is: Should the application obtain a single access token that is used against all APIs, use multiple access tokens where each has the limited information needed for a particular API, or do something in between? (Granted, that doesn’t always happen, especially in large organizations where each API may be supported by different teams that have made architectural decisions-or just good old-fashioned political decisions-independent of one another.) To create a common API security model that spans all APIs advertised on an API gateway, let’s assume all endpoints require an OAuth 2 Access Token issued from a common identity provider and have the appropriate API security token checks in place.įundamental usage questions must be addressed regarding how the OAuth 2 access tokens are employed. Ideally, these APIs are all deployed with a common API gateway. This SPA might call a shopping cart API, product information API, store location API, payment API and other APIs, which may be hosted by the organization itself or multiple third parties. For example, consider a Single Page Application (SPA) that implements a shopping application for a retail operation. With the explosion of APIs, it’s becoming more common for an application to consume a variety of different APIs, sometimes from different API providers.
0 Comments
Leave a Reply. |