With the explosion of APIs, it’s becoming more common for an application to consume a variety of different APIs, sometimes from different API providers. For example, consider a Single Page Application (SPA) that implements a shopping application for a retail operation. This SPA might call a shopping cart API, product information API, store location API, payment API and other APIs, which may be hosted by the organization itself or multiple third parties.
Deepen your knowledge of APIs and their unique security requirements.
Ideally, these APIs are all deployed with a common API gateway. (Granted, that doesn’t always happen, especially in large organizations where each API may be supported by different teams that have made architectural decisions—or just good old-fashioned political decisions—independent of one another.) To create a common API security model that spans all APIs advertised on an API gateway, let’s assume all endpoints require an OAuth 2 Access Token issued from a common identity provider and have the appropriate API security token checks in place.
Fundamental usage questions must be addressed regarding how the OAuth 2 access tokens are employed. One key question we explore in this blog post series is: Should the application obtain a single access token that is used against all APIs, use multiple access tokens where each has the limited information needed for a particular API, or do something in between?