Is there a need to identify users? What are the common identifiers between the API Consumer and the API (email, customer number, social security number)? How are the API consumer’s end-users authenticated?
Identity, authorization and access management + securing data in all of it's stages
Identity management, authorization, and access management are important for securing APIs, but also related to the applications consuming or providing the APIs. Sensitive information should always use token and session-based access, as the API-keys are in general never changed and are handled in plain language without any encryption, so someone can get access to them.
Headers, tokens or URLs for authentication data
- The best approach for securing APIs containing sensitive information and requiring user-level access management is to use OpenID Connect –capable authentication with JWT-tokens and claims.
- This requires agreeing on how the applications get the token, how is the identity of end-users managed etc.
- Sometimes API consuming clients have limitations on what types of authentication methods they can use.
- Most consumers can use API-keys in headers, but some can only input URI-parameters. These types of consumers should not be allowed access to sensitive information at all, as the URI-parameters are logged during all points and are easily “sniffed”.