Questions tagged [api-gateway]
The api-gateway tag has no summary.
27 questions
0
votes
0
answers
64
views
What Is the Best Validation Logic for an Internal API Gateway in Trading Systems?
Context:
To briefly describe our system, we are preparing a cryptocurrency exchange platform similar to Binance or Bybit. All requests are handled through APIs. We have an External API Gateway that ...
- 1
0
votes
0
answers
74
views
Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?
Is this a good approach to preventing the leakage of secrets?
Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth ...
- 113
0
votes
1
answer
145
views
Can API Security/WAF tools decrypt "mirrored" traffic?
We're doing a PoC on a new API Security/WAF tool, and we're planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we'll send the mirrored traffic ...
- 3
0
votes
2
answers
221
views
Decorating headers after JWT authentication
I'm toying with the idea of terminating JWT after gateway ingress, and looking to see what sort of attack patterns would result.
Prerequisites:
Communication between services would use mTLS to ...
- 101
1
vote
0
answers
162
views
OAuth2/Cognito: Let trusted server act on behalf of user
I'm building a public HTTP JSON API using API Gateway with ID token authentication.
I now need a server that acts on behalf of users. Users message that server using a third party (think Signal or ...
- 11
1
vote
0
answers
154
views
Migrate OAuth 2.0 to OAuth 2.1
I have a old Spring Cloud gateway working with Keyclock server. I don't have Web UI for login because the project is a Rest API. OAuth 2.0 is used with Grant type password.
I want to migrate to OAuth ...
- 151
0
votes
1
answer
441
views
Should resource servers behind an API gateway independently verify authentication claims?
Is it considered OK to "authenticate" via unverifiable plain-string headers simply asserting a principal name (User-ID: 12345), as long as this is behind an API gateway that does verify ...
- 103
2
votes
0
answers
317
views
Where should rate limit be applied?
I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall.
...
- 131
0
votes
1
answer
737
views
Does "validating" a JWT token from prove authentication with OpenId?
I have a static react app which users login via an Okta SPA app.
The app receives a JWT, which it is stored in the browser, and passed to the backend API via Authentication header on every request.
...
- 143
0
votes
0
answers
132
views
How can I secure an API used for app secret keys without using CORS, created using AWS API gateway?
I am using an API , made using an AWS service named API Gateway [Which may not be of great importance]. I have gone through various articles mentioning that rather than storing secret keys directly on ...
0
votes
2
answers
3k
views
Is there any additional overhead over using Oauth vs Client Certificates?
I have a requirement to add security between service to API communication. The current implementation is client certificates. The client gets a certificate and just sends it in a cookie to the API. ...
- 103
0
votes
0
answers
172
views
How to prevent horizontal escalation attacks when a centralized authorization service as gateway is used?
Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer ...
- 101
0
votes
2
answers
231
views
How can API documentation helpful to exploit any application?
Here I want to understand what if private API Documentation is exposed how can a hacker exploited the application as all the endpoints have authorization & authentication.
its is really going to ...
- 329
1
vote
0
answers
120
views
Generate new AccessToken each time user update his Information
im building a PWA app , where i implemented jwt token to auth users.
i have 2 main architecture problems ,but let me introduce you what im building .
i'm Building application that is all about dog ...
1
vote
1
answer
1k
views
May I use OAuth2 for non third-party applications?
I need some help to understand my problem.
I'm studying a way to provide authentication for my applications.
My scenario:
I have a set of APIs with restricted access and users that will be ...
- 11