3 Solutions for Securing Complex API Ecosystems
On this page

Most companies rely on APIs these days. But if small APIs are easily managed and protected, more complex ones need different approaches. As API complexity grows, security solutions should also be developed to match it. We now see instances when solely using OAuth and access tokens might not be sufficient for complex API ecosystems: often, all access tokens issued for an API have the same properties and therefore can be accessed by anyone with the token. This can lead to security vulnerabilities.

Before I discuss how to solve the security challenges of complex API ecosystems, it is important to distinguish between two types of API expansion. Growing APIs can be divided into breadth-grown and depth-grown APIs:

  • Breadth-grown APIs grow wide and form a flat system with multiple directly exposed APIs;

  • Depth-grown APIs expand in depth, meaning that the system is developed because APIs get coupled together in layers.

Due to the structural differences, the security challenges presented by these two patterns are different too:

  1. The challenge with bread-growth APIs stems from the number of exposed endpoints. Typically when proper authorization checks are in place, the bearer of an access token cannot retrieve a different user’s information. However, the bearer can still access any of the endpoints as it might be problematic to secure them all. The common solution - introducing scopes to limit capabilities of access tokens - might lead to additional issues such as needing to manage scopes and corresponding endpoints and the complexity of assigning scopes into logical groups.

  2. In some depth-grown APIs, the processing of one request usually involves calling many services. When one token is used to secure all downstream services, it can be reused to get access to any API endpoint beyond the set permissions or even be leaked to a third party that can use it to call your API.

To solve these and other challenges, I suggest the following solutions, which you should choose based on the particular needs and your team’s capabilities:

1) Using Claims-based Authorization

Scopes are great, but they should not be the only authorization factor. Based on complex authentication information, authorization servers should issue claims for APIs to use them. To limit API access, I suggest using the audience claim. With it, the API can check whether the access token was intended for a specific audience and reject those meant for a different audience.

2) Using Token-sharing Approaches

Organizations should consider token sharing to prevent a token from being reused across all services. This usually means implementing token exchange so that a service always operates with an access token tailored to its needs. This limits the potential actions a downstream service can perform. As an alternative, access tokens can be embedded.

3) Using an Entitlement Management System

Companies with large API ecosystems should consider using dedicated entitlement management systems to mitigate security risks and establish a centralized way of handling authorization. This way, authorization rules will be governed in a structured way and you will avoid unnecessary issues of broken function-level authorization. We suggest using Open Policy Agent, which can be easily set up to work with the Curity Identity Server.

The original article was published on the New Stack. You can read it here.

Related resources

Frequently Asked Questions

What's the performance or latency impact of introducing token exchange in a depth-grown API architecture?

Token exchange introduces additional calls to an authorization server as requests pass through multiple downstream services, which can add some latency. This is generally a worthwhile tradeoff for the security benefits, though it's a factor teams should account for when designing service-to-service communication.

How does the audience claim differ from scopes in practical terms?

Scopes define what actions or resources an access token is permitted to use, while the audience claim defines which specific API or service the token was intended for in the first place. This means a token can be rejected outright by an API if it wasn't the intended recipient, regardless of what scopes the token carries.

At what point should a company invest in an entitlement management system rather than relying on scopes and claims alone?

This typically becomes worthwhile once an organization is managing a large number of APIs and services, has multiple teams independently defining authorization rules, or is finding it difficult to maintain consistent, centralized control over access decisions using scopes and claims alone.

How do I know if my API ecosystem is breadth-grown, depth-grown, or a mix of both?

Many organizations have ecosystems that show both patterns in different parts of their architecture, so it's not always an either/or distinction — some APIs may be flat and directly exposed, while others involve layered service calls.