OAuth 2 Access Token Usage Strategies for Multiple Resources (APIs): Part 1

With the explosion of APIs, it's becoming more common for an application to consume a variety of different APIs, sometimes from different API providers. For example, consider a Single Page Application (SPA) that implements a shopping application for a retail operation. This SPA might call a shopping cart API, product information API, store location API, payment API, and other APIs, which may be hosted by the organization itself or multiple third parties.

Ideally, these APIs are all deployed with a common API gateway. (Granted, that doesn't always happen, especially in large organizations where each API may be supported by different teams that have made architectural decisions-or just good old-fashioned political decisions-independent of one another.) To create a common API security model that spans all APIs advertised on an API gateway, let's assume all endpoints require an OAuth 2 Access Token issued from a common identity provider and have the appropriate API security token checks in place.

Fundamental usage questions must be addressed regarding how the OAuth 2 access tokens are employed. One key question we explore in this series is:

Should the application obtain a single access token that is used against all APIs, use multiple access tokens where each has the limited information needed for a particular API, or do something in between?

Three Approaches for OAuth 2 Access Token Usage

If a single token is used for all APIs in a domain, you run the risk of leaking sensitive information to systems that do not need it or creating a powerful identity token that grants the holder access to many systems if it were to be compromised. (The same issues apply to any resource protected by OAuth 2, not just APIs. Likewise, they apply to any type of application that is attempting to consume such a resource.) In previous posts, I've touched on different approaches to this problem, but have never assembled all the information into one article  —  so here we are.

For our purposes, let's assume the following are true in our target environment:

Now, let's consider how the API consumer should handle access tokens. Should the API consumer (OAuth 2 client, OIDC relying party) obtain one access token that is used with all back-end APIs? Should there be one access token per back-end API? Is there another configuration that should be used?

We're going to look at three different strategies that I have used at client sites before. There are several variables to consider:

The exact nature of these variables differs by organization, including the acceptable ranges for any of these parameters, the granularity of the audience, how audience and scope are used, etc., but these variables give rise to several patterns that could be employed to address how access tokens are utilized:

In all of these options, one or more scopes will be associated with the access tokens. If OIDC is being used, then the "openid" scope will be present in addition to any other scopes needed to access API endpoints. Likewise, instead of using scopes to describe user permissions on an API, a list of roles (maybe an array of strings) could be used.

Option #1: Single Access Token with Single Audience

The first option — a single token with a single audience that can be used against all desired APIs — is probably the most universally supported with out-of-the-box functionality. Included in this one access token are as many scopes as are needed to grant required permissions, obtain required claims, and perform other purposes for the various backend APIs. That information will be visible to all downstream actors that intercept the access token. Depending on the use case, this could be an issue.

This approach is common and simple enough for all actors involved. There are several variations on this option, including:

The second and third variations could be combined to create a limited set of distinct audiences that represent application layers and environments.

The relationships between audience, scopes, access tokens, and APIs in this use case are described in the following diagram:

Option #2: Single Access Token With Multiple Audiences

The second option-single access token, with multiple audiences covering all desired APIs-is allowed by the spec, but multi-audience JWTs acting as OAuth 2 access tokens isn't universally supported by IdP vendors, API gateway vendors or other libraries. Just like with Option #1, there will be as many scopes in the access token as are needed to describe the permissions the user needs to interact with the APIs described by JWT audience list.

In a situation where token delegation is being used (i.e., the API gateway obtains a new access token that describes the authenticated user, but has a different audience, scope and claim information describing the downstream API Provider), the multi-audience token may provide significant simplification of the mechanics needed to obtain new tokens. This is because it wouldn't necessarily need to obtain the new token for the downstream actor. However, this would likely be exposing additional information to other actors that wouldn't necessarily have occurred otherwise.

The relationships between audience, scopes, access tokens and APIs in this use case are described in the following diagram:

Option #3: Multiple Access Tokens

The third option-using multiple access tokens-involves obtaining a unique access token for each API that needs to be accessed by the application. Each of these access tokens will have a single audience that describes one API. Each token (associated with each API) will have some number of scopes associated with it to describe the user's permissions on the corresponding API. Supporting multiple access tokens (and possibly other token types) is more complex for all actors involved, but especially the application and authentication library.

The authentication library must be able to support obtaining and caching the various tokens that are obtained. The application needs to keep track of which permissions are required for which function.

The relationships between audience, scopes, access tokens and APIs in this use case are described in the following diagram:

Your application, the authentication library, IdP, API gateway, and potentially other actors must be able to accommodate whichever path is chosen.

Some Additional Notes

Which Approach Should You Implement?

So, we have presented three approaches to using OAuth 2 access tokens with multiple APIs deployed with the same API gateway. As with so many topics we've discussed, the single greatest determining factor of the best path forward will likely be what your technology stack (identity provider and API gateway) supports. Keep this in mind when defining your strategy.

In large enterprise organizations, there tend to be identity and access management, enterprise architecture, and/or information security teams with strong opinions about how these types of details should work. Those opinions tend to vary wildly, but will greatly influence the chosen solution.

In the rest of this series, we will explore some foundational concepts that impact the approaches, examine how to implement these options, and consider which is the best approach under different circumstances.

 

 

 

 

Top