Welcome to the deep dive. We're here to help you get really well informed on some of today's well most critical topics. And today we're plunging right into the digital nervous system of our modern world. APIs Application programming interfaces. I mean they are the invisible glue holding our digital lives together. Aren't they Your banking app, your smart thermostat, even websites. APIs are basically the new platforms for business innovation.
They power well almost every digital process you can think of. Butt and this is a big butt. With this huge reach comes a critical challenge. Security. It often lags behind the innovation curve, which makes APIs unfortunately prime targets for bad actors trying to get their hands on valuable business data think personal customer info, sensitive IP, you name it. Securing these digital gateways is just paramount. Imagine the nightmare right,
a single compromised API opening the floodgates. So today we're going to build a piece by piece that zero trust fortress you need. Or deep dive today is into cloud native data security. With OOF, we're drawing directly from the A. Riley book by Gary Archer, Judith Karr, and because Strosnovski over at Curity ab Our Mission to give you a shortcut a way to get truly well informed about securing modern cloud native apps, especially around authentication and authorization, those tricky bits.
Yeah, exactly, and the book really hammers home that specifically two point zero. It's it's more than just a standard protocol, you know, it's a powerful framework. It gives you the tools to protect that sensitive data, enforce dynamic access controls. But just reading this spec isn't enough. True mastery comes from using it to build a scalable, zero trust architecture.
So then this deep dive, we'll connect the dots right between digital identity and API security, not just what it is, but why it matters and crucially, how you actually deploy these solutions in modern cloud native setups. How you can externalize that complex security stuff away from your application code is actually less painful than you might think. It brings a lot of benefits.
Okay, So to really get why with is so important, though, maybe let's rewind a bit, take us back back to say twenty ten. What did API security even look like then? How limited was it?
Well? Right back then, yeah, it was a different world. If you were building something digital, it was likely a single website, mostly talking to a browser client. Users logged in with a user name of password, and the website gave them an authentication cookie. Simple, yes, but incredibly limited.
In scope, right, simple but brittle. So contrast that with today's API first reality. What's the single biggest challenge this shift created that, like the old cookie model just couldn't cope with.
It's the sheer distribution and the diversity of clients, that's the main thing. APIs aren't just internal plumbing anymore. They're actual business products. They get consumed by mobile apps, by single page web apps, IoT devices, other back end systems. The old cookie model it just couldn't scale. It couldn't authenticate users and authorize access across all those different contexts,
not consistently, not securely. This whole metamorphosis to digital natives, as the book calls it, it demands something more robust, more decentralized.
And that's the cue forth two point zero and open ady connect. Right, they were basically born to solve these modern complex problems.
Absolutely, they represent a really fundamental shift in how we think about securing access to valuable data. And oh, with two point zero it lets us implement this idea of zero trust security, which isn't just a buzzword. You know, it's a real shift away from just guarding the perimeter. It's about pervasive verification. The key insight OTH brings is
how it helps you operationalize zero trust. For APIs, you could externalize trust decisions, apply consistent authorization even inside your network. It dismantles that whole flawed idea that inside is safe. You have to authenticate and authorize every single caller, every request. External, internal doesn't matter.
Okay, So if the authorization server is the brain, the central controller, what's the actual currency it deals in? What does it issue to grant that access? What's at the very heart of oath.
That would be the access token. You could think of it as an API message credential. It's basically a powerful tech string. It carries permissions, It grants access to specific business data, and crucially this is really important. It must be designed for least privilege only the absolute minimum access needed for that specific client to do its job.
Limits the blast radius. If something goes wrong.
Exactly limits the blast radius. And the authorization server is the component that manages all this. It externalizes most of that low level security complexity away from your clients, away from your APIs. It handles authenticating the user if there is one, and then it issues that access token. Critically, it keeps the user's credentials, their password or whatever they use, completely separate from the client application.
Okay, for our listeners who are probably already using some of this stuff, let's dig into the recommended flows for getting these tokens. What's something that often gets maybe overlooked or misunderstood even when people are using best practices, Like the code flow with PKCE.
Right, the code flow with PKCE, that's PKCE proof key for code exchange is yeah, the absolute go to for pretty much any platform specific app dot, web, mobile, desktop. It's strong because the user logs in directly with the authorization server. The client app never sees the password that prevents credential theft by the client itself. But the really critical insight about PKCE. The code flow seems solid, but early on people found this subtle but really nasty vulnerability,
authorization code interception, especially on mobile. The genus of pkcees and just like a checksum, it's this clever cryptographic binding. It ties the authorization code specifically to the client session that started the flow that makes the interception attack basically impossible. So yeah, it's a small addition, but absolutely vital for securing public clients. Always use PKCE, Always use PKC.
Got it. What about other scenarios?
Well, for devices that don't have easy input, like smart TVs or maybe some I gadgets, there's the device flow looks the user authenticate on their phone or laptop instead. And then for machine to machine communication where there's no human user involved, like went back end API calling another, you use the client credentials flow. Important note those access tokens have no user data in them, They just authorize the client application itself, and finally you've got the refresh
token flow. This is how clients get fresh access tokens when the old ones expire, without forcing the user to log in again and again. The refresh token itself is usually opaque, kept confidential between the client and the authorization server.
Makes sense, so just as important. What should people actively avoid?
Oh? Definitely number one, avoid the password flow explicitly, don't use it. It completely breaks the oath model by giving the client the user's actual password. Big security risk.
Right undermines the whole point.
Exactly, also avoid the implicit flow. It is known security weaknesses like access tokens potentially ending up in browser history or server logs because they're in the URL fragment. Both of these are problematic enough that the upcoming O of two point one specifications actually moving them entirely. It's all about consolidating the current best practices.
Okay, so oheth gives us authorization what you can do, but often you also need to know who is doing it. How does open id connect or OIDC build on top of OTH to handle the identity part?
Right, That's a perfect way to put it. OIDC is an authentication layer built right on top of two point zero. Oh is about authorization. OIDC is about authentication who you are. It introduces a new type of token, the ID token. Now unlike the access token, which really should be treated as opaque by the client.
Meaning the client shouldn't try to read it.
Exactly, the client shouldn't parse the access token, but the ID token the client can and should parse it. It contains information about the user about the authentication event itself. You get claims like sub that's the user's unique subject identifier or maybe off time, which tells you when they last logged in. It's a really crucial distinction. ID token is for the client, who's the user access token is for the API. What can this request do?
And I think OIDC also provide something called the user info endpoint for more profile data.
Yes, that's another way. If the client needs more profile details about the user beyond what's in the ID token, it can use the access to open it received to make a call to the user info endpoint at the authorization server and fetch that data securely.
Okay, stepping back a bit, you mentioned two point one consolidating things. Are there other evolutions happening? Oh?
Yeah, the standard space is always moving. Two point one is about cleaning up and codifying best practices like we discussed. But looking further out you have emerging things like digital Credentials protocols or DCP. This is really interesting stuff. It allows users to manage their own identity attributes, think verifiable credentials in digital wallets on their devices, and these could potentially combine with ovos for authentication in the future, giving users much more control.
Fascinating. So we've got the concepts down oth authorization OIDC for identity access tokens, different flows. How do these pieces actually fit together in a modern cloud native architecture? How do you build that defensive posture.
It's really about separation of concerns, making each component do its job well. First, you have the authorization server. We've talked about it. It's the central brain identity management, user authentication, issuing tokens. It's designed to be adaptable, often extensible. Then usually have an API gateway. This acts as the front door to your APIs. It handles things like routing, rate limiting, maybe some basic checks, but critically it can also perform token termination.
Token termination. Okay, you mentioned that earlier, the phantom token pattern. It sounded really clever. Can you unpack how that helps optimize things?
Yeah, it's a great pattern. So the client application, maybe a mobile app or SPA, receives an opaque access token, just a random looking string confidential reveals nothing. The API gateway gets this opaque token, but instead of just passing it straight through to the back end API, it introspects it. That means the gateway makes a quick secure call back to the authorization server, saying eight is this token valid and what's inside it? If the authorization server says yep,
it's valid here the permissions and user info. The gateway then translates that opaque token into a JWT access token.
Ah a json web tooken right.
A self contained sign token, and that JWT is what gets sent to the upstream API. So you get the best of both worlds. The client gets confidentiality opaque token, the internal API gets a verifiable token JWT. It can validate locally, maybe check the signature, read the claims without needing another network hop back to the authorization server. Better performance, better security posture.
Overall, that is clever. Okay, so gateway handles entry and token translation. What about really fine grained permissions like this user can view reports but only for their own department.
Good question. That's where a policy engine comes in, often called an entitlement management system or EMS. This is where you define and enforce your detailed centralized access control policies externalize from your application code, which is key for consistency and manageability. You can implement different models here. Role based access control r BAC, attribute based access control ABAC, maybe even relationship based access control REBAC.
Can you give an example of a policy engine?
Sure a popular one in the cloud data space is Open Policy Agent ORPA. OPA is designed to run as a sidecar container right alongside your API service. Your API gets a request with that JWT access token we just talked about, it can then query its local OPA fied car hey based on the claims in this token, like user I, D department rolls, and the policy you have loaded. Is this user allowed to perform this specific action on this resource? OPA gives a yes no answer based on
the centralized policy. It's fast, it's local, and it makes your authorization logic highly auditible and easy to update without redeploying your main application code. Big win for security agility.
Okay, So summing up the responsibilities, the client gets the token securely and sends it the API gateway routes maybe does that phantom token translation, and the back end API uses the claims in the final token, possibly checking with a policy engine like OHPA to enforce the really specific business rules.
Exactly, a nice clean separation of concerns.
Let's zoom back in on the access token itself. You mentioned jatabts and opaque tokens. This choice seems pretty fundamental for listeners designing systems. What are the main tradeoffs or decision points when picking between these formats for different parts of the flow.
That's a really crucial architectural decision. Yeah, it boils down to a trade off between performance, verifiability, and confidentiality. So data bets they are by value tokens self contained. All the claims are right there inside the token itself protected by a digital signature. API is often like jatabts because they can verify the signature locally, check the expiry time, read the claims, all without calling back to the authorization server. That's good for performing.
There's always a butt.
The butt is that data bts are typically just signed, not encrypted, meaning anyone who gets hold of the token and can decode the payload part and read the claims inside. If those claims contain sensitive information maybe PII or internal details, Sending a raw DATABT directly to an untrusted client like a browser or mobile app can lead to information disclosure. Not ideal.
Okay, So jata BT's are readable. How do opaque tokens compare?
Opaque tokens are the opposite. They are by reference. They're just random high entropy strings like a secure section ID. Essentially, they act as a pointer, a reference back to the actual token data, which is stored securely on the authorization server, so they offer optimal confidentiality for the client. The client gets this random string, it reveals absolutely nothing sensitive if intercepted, no claims, no user info, nothing readable.
So the choice depends on who receives the token and what they need to do with it.
Precisely, you typically choose opaque tokens for any public or browser based clients to maximize confidentiality protect that data. But for back end server to server communication where the recipient is trusted and you want the performance benefit of local validation, a JWT might be perfectly fine, even preferred. And that's why patterns like the phantom token pattern or another one called the split token pattern are so valuable. They let you use opaque tokens externally and JWTs internally.
Breaking that gap makes sense beyond the format, how else can we harden these access tokens make them even more secure?
Several ways. First, if you are using JWTs, always use asymmetric signing algorithms like RS two five six or ES two five six. This means the authorization server signs with a private key and APIs verify with the corresponding public key, much better than sharing a symmetric secret key everywhere, which is harder to manage and rotate securely.
Okay, asymmetric signatures. What else?
Second, look into sender constrained tokens. This is a powerful technique. Technologies like MTLs, mutual TLS, or dep hot p demonstrating proof of possession allow you to cryptographically bind the access token to the specific client instance that requested it. So even if an attacker some how steals the token itself, they can't use it unless they also have the client's private key. It dramatically reduces the value of a stolen token.
Wow. Okay binding the token to the sender.
Yeah. And finally, the basics still apply. Rigorously enforce the principle of least privilege in the token's permissions, don't grant more access than absolutely necessary, and you short lived access tokens keep the expiry time low minutes, not hours or days. This minimizes the window of opportunity for an attacker if a token is compromised. Refreshed tokens can handle keeping the user session a live longer term.
Got it now? You mentioned browser based apps SPA's single page applications. They have unique challenges right particularly around storing tokens securely because of things like cross site scripting EXSS.
Oh absolutely, EXSS is a huge headache for spas. If an attacker can inject malicious JavaScript into your application page and you're storing your access tokens in somewhere JavaScript can reach, like local storage or session storage, then that malicious script can just grab the token and send it off to the attackers server. Game over.
So storing tokens local storage is a bad idea.
Generally, yes, very risky for spas due to EXSS. The recommended solution and it's become a pretty standard best practice now is to use a back end for front end or BFF.
Pattern BFF back end for frontend. How does that help?
The idea is your SPA doesn't handle the OOTH flow directly. Instead, you have a lightweight back end service, the BFF that serves your SPA static files and acts as the OOTH client itself. So the BFF talks to the authorization server, gets the access token and refresh token. Then crucially, the BFF encrypts these tokens and stores them in secure HTTP only cookies often with the same site strict attribute.
Set HTTP only, meaning JavaScript can't touch them exactly.
Http only cookies are inaccessible to JavaScript running in the browser, so even if an attacker manages an EXSS injection, they simply cannot read the tokens out of the cookie jar. The BFF manages the tokens, attaches them to outgoing API calls had refresh. The SPA itself never sees or handles the raw tokens. It dramatically reduces the impact of XSS on tokens theft, and the same site strict attribute helps
prevent cross set request forgery CSRF two. It's a really solid pattern for browser security.
Okay, that BFF pattern sounds essential for spas. Let's shift here slightly. We've talked a lot about the tokens and flows, but what about managing the authorization server itself? Especially in a cloud native world. This thing is critical infrastructure, right. How do you keep it running reliably and manage upgrades without downtime?
Absolutely critical. You treat it like any other Tier one service in your cloud environment. Reliability is paramount, so you leverage standard cloud native patterns first, high availability and clustering. You don't run just one instance. You run multiple instances, maybe as pods and Kubernetes, behind a load balancer or a Kubernetes service to distribute traffic. If one instance fails, others take.
Over makes sense redundancy. What about bigger failures, like a whole region going down.
That's where multi region deploys come in. For true disaster recovery, you run entirely separate, independent deployments of your authorization server in different geographical regions, maybe US East and US West, or across continents. You need data replication between them to keep user sessions and configurations in sync, and then you use something like Global Server load Balancing GSLB to direct users to the nearest healthy region with automatic failover if one region.
Becomes unavailable, okay, high availability, multi region. How do you actually push out updates or new configurations in this kind of setup without breaking things carefully?
Through robust deployment pipelines, You package your authorization server as a container image, You promote that image through standard environments dev, test, staging, and finally production. In production, you use deployment strategies that allow for zero downtime upgrades, things like rolling updates blue green deployments or Canary releases. This lets you gradually introduce the new version, monitor it, and crucially quickly roll back or downgrade if any problems show up.
And what about when things do go wrong? How do you figure out what's happening quickly?
Good point troubleshooting is key. The authorization server needs excellent observability features. That means providing useful, specific error responses, not just generic failures. Integrating with distributed tracing systems like open telemetry is huge. Every request should get a unique trace ID that flows through the authorization server, the API gateway, and your back end APIs.
So you can follow a single request across the whole system exactly.
It makes pinpointing issues much faster. You also need detailed technical logs for debugging and comprehensive audit logs for security and compliance purposes. Who logged in, what tokens were issued, any config changes, and of course good monitoring and alerting on key metrics to spot potential threads or performance issues early.
Okay, that covers securing access and operating the server. Let's turn to the very beginning of the flow, the user proving who they are user authentication. It feels like we've moved way beyond just passwords.
These oh definitely the landscape there is exploded, which is great for both security and hopefully user experience. And again, the beauty of modern flows like the ODC code flow is that this complexity is largely externalized to the authorization server. The client application just initiates the flow. The authorization server then orchestrates whatever authentication method or methods are needed for that user or context. The client doesn't really need to
know the specifics. The goal is consistency for the APIs downstream. They should get a reliable, verified subclaim user ID in the token, regardless of how the user actually proved their identity.
So the API doesn't need to care if I used a password or my fingerprint or a magic link. As long as the authorization server vouches for me with a consistent ID, that is powerful. Let's talk about some of those methods. What's exciting there.
Well, the big push is towards phishing resistant methods. Top of the list there is passkeys built on the web. Often, standard pass keys are a huge leap forward. They're typically bound to a user's device, often secured by biometrics like face ID or fingerprint or a device, passing their scope to specific domains, making them highly resistant to phishing attacks, much much better than passwords.
Okay, pass keys are the gold standard. What else is common?
You still see one time passwords OTP quite a bit delivered via email, SMS or generated biauthenticator apps. They're better than just a password, but generally not considered phishing resistant. Social logins or using external identity providers like login with Google or log in with Azure D are popular for convenience, though you need to manage things like mapping those external
identities to your internal user accounts. For scenarios requiring higher assurance about the user's real world identity, you get into identity proofing processes, and as we mentioned, digital credentials protocols DCP are emerging here, allowing users to present verified attributes, and most good authorization servers are extensible, allowing you to plug in custom user authentication methods. If you need to integrate with, say a legacy database or a very specific internal system, that's.
A lot of options. Are there also techniques for combining these or making the experience smarter?
Yes, absolutely, Several key user authentication techniques layer on top of the methods Multi factor authentication MFA is probably the most well known. Combining two or more different types of factors. Something you know, password, something you have OTP device, phone, something you are biometric provides much stronger security than any single factor alone.
Right, MFA is crucial.
Then there's step up authentication. This is a really neat dynamic technique. Instead of forcing high security on the user all the time, you might let them log in with something simple initially, but if they try to access a particularly sensitive resource or perform a high privilege operation, the API can signal back to the authorization server, Hey, I need stronger proof for this user. The authorization server can then trigger an MFA challenge, maybe ask for a pass
key verification just for that sensitive step. It balances security and user experience nicely.
Clever friction only one needed exactly.
You also have single sign on SSO, which aims to reduce how often users need to log in across different applications. Account linking helps manage identities when users authenticate via multiple external providers, and advanced systems allow authentication actions and selection logic basically custom rules to decide which authentication methods to offer or require based on user type, location, device posture, risk score or other contextual factors tailoring the experience.
And all of this from the first time a user signs up, maybe self service through password resets or account recovery, all the way to eventually decommissioning their account. That whole life cycle is managed by the authorization server.
That's the goal. Yes, Centralizing that entire user authentication life cycle management within the authorization server provides consistency, security, and auditability.
Wow, Okay, what an incredible journey we've been on. We started with why we even need something like go out in this API driven world. We dug into the core bits like access token and flows PKCE. Then we looked at the architecture of the authorization server API gateway policy engines that cool phantom token pattern. We talked JWT's versus opaque hardening tokens, protecting spas with BFFs, dot covered, operating the authorization server reliably in the cloud, and finally explore
the whole universe of modern user authentication beyond passwords. That was a lot.
It really ties together though a well designed ooth and open ID connect implementation when you combine it with these cloud native patterns like gateways policy engines and reliable operations. It truly enables a powerful, scalable and secures zero trust architecture.
The core themes are externalizing that complex security logic, rigorously applying these privilege staying adaptable with things like step up OFF, and just generally keeping pace with both the evolving threats and what users expect in terms of experience.
So for everyone listening, as you continue to build and innovate in this digital world, really consider how adopting these standards, creating what the book calls an unforgeable least privilege API message credential, how that can fundamentally transform the trust and the security posture around your business data, your user interactions. What new possibilities does having this kind of robust, scalable security foundation actually unlock for your next big digital initiative.
Something to think about,