Alternatives to key-based authentication?

[brylie]

We are considering how to authenticate API requests with methods other than API Keys. What are the possibilities for API Umbrella to authenticate api proxy requests via additional methods? E.g. Oauth2, OpenID Connect, or SAML?

[brylie]

@kyyberi, will you please expand on this question?

[GUI]

OAuth2 is probably the one that has come up most frequently for us in conversations, but we haven't had any concrete use-cases on our end (eg, which flow/two-legged vs three-legged), so that's why we've stuck to api keys. But it should definitely be possible to implement these other strategies as alternative middlewares (here's our api key middleware for reference). So while we don't currently have plans to implement other strategies ourselves, that may change, and in the meantime we'd also certainly welcome contributions in this area.

[kyyberi]

The idea is to take of burden from smaller public sector organizations in Finland. At the moment they have some APIs, but no API-management let alone low-barrier API authentication.

At the moment public sector has funded development of SSO for UX level (I'm Product Owner). It's called MPASS, code in github https://github.com/Digipalvelutehdas/MPASS-proxy The readme.md in github is still in Finnish but most of the rest is in English. In MPASS user attributes are handled securily at the government maintained server to avoid confidential information about children to be given to Google or similar.

The plan is to reuse MPASS components as API -auth solution as well. More precisely to ramp up another MPASS instance for API auth. In the first phase we just authenticate APIs and leave attribute data away. In future we will collect organization/user attribute data via national data exchange layer (X-Road) from registries. We have customer cases already from different cities and a few government level organizations such as National Board of Education.

I need to ask use case owners, whether they need 3-legged or 2-legged process. Dont know how to open up the cases without additional questions. I'm more then happy to provide more info if needed.

One more auth for API would be JSON Web Token.