Provide guidance on security

Codit / practical-api-guidelines

Practical guidelines for building & designing APIs with .NET.

MIT License

16 stars 5 forks source link

Provide guidance on security #83

Open MassimoC opened 5 years ago

MassimoC commented 5 years ago

Secure the API access

Apikey
Ip Filtering
Certificate
OAuth token (from IDP)
MSI (managed identity)
...

fgheysels commented 5 years ago

I'm trying to put my 2 cents here, don't shoot if I get it wrong :)

I would see the protection of an API with an API key and with IP filtering in combination with APIM, where you secure the API via IP filtering so that it can only be called via APIM.
How far do you want to go for the Certificate security (I suppose you're talking about mutual authentication here) ? I think this is something that will eventually end up in Arcus, so are you going to refer to Arcus here ?
I think it is a good idea to set up a sample on how to protect the API using IdentityServer. Have a client application that consumes the client; allow the user to login and have maybe different roles so that certain operations are allowed by role X and others not ?

tomkerkhove commented 5 years ago

Those sound like good suggestions if you ask me, but personally would split this item into an issue per type of security and take it piece by piece and determine the maturity level per approach.

Agree on all of the above where api key and identity server would be most important to me

MassimoC commented 5 years ago

Following the proposal of Frederik, can the guideline be something like this?

If you need to limit the access to the API

use a Shared Access Key (api key) + IP filtering
If it's required to use X509 client authentication, use Arcus.
If there is already an authorization server in place, consider to use OAuth2 with client_credentials flow

If you need give access to one or more applications on behalf of users

use OAuth2 (access token) with the scope validation at operation level (e.g. scopes order:read, order:modify)

tomkerkhove commented 5 years ago

This assumes that you have an API gateway, which is not always the case. I personally find IP filtering a more advanced scenario as this is not always possible.

In terms of Shared Access Key & X509 client authentication, I would start with Shared Access Key and if there is a strong requirement and/or a gateway present use X509 client authentication instead.

Tagging Arcus Security issues for observability:

X509 client authentication - https://github.com/arcus-azure/arcus.webapi/issues/31
Shared Access Key - https://github.com/arcus-azure/arcus.webapi/issues/12

tomkerkhove commented 4 years ago

Attributes are now available btw