Download your copy of our State of Authorization: Playbook Edition Get it now »

Why does an API gateway need authorization?

To understand why an API gateway needs authorization, we must understand what an API gateway is used for to see why authorization is needed.

In order to understand why an API gateway needs authorization, we first must understand what an API gateway is used for.

We can then understand why they need authorization and where it can come into play.

When is an API gateway used?

Historically, applications were built as a monolith where everything was bundled into the application.

Therefore, the only people or things that can used the application interacted with it through the application’s user interface (UI). But this limited the application’s usefulness.

What if business logic could be decoupled from other functions in the app such as the UI or storage?

This is where architects can design an API-first strategy: build an API for the app which exposed different pieces of functionality to non-humans or someone who wanted to build a custom UI or integrate with the app in ways the original developer hadn’t planned.

An example of this in a banking application could be API endpoints for loans, credit cards, and accounts.

Now, if you have a third party that wants to connect to your application and processes, they can do that via the API rather than attempt to “screen-scrape” your monolith’s UI.

But APIs need the right level of exposure and protection from common threats.

This is where an API gateway comes in. It can help expose application functionality through common API technology and it can help apply a wide range of security mechanisms.

For instance, how does the third-party authenticate with the API?

How do we know what they can do?

In the banking example, you might wonder if the third party application can do everything on the user’s account?

Or do you only want the third party to be able to see the user’s credit score?

Where does authorization fit in an API gateway?

An API gateway needs to enable at least three things:

  1. Authentication
  2. Access delegation
  3. Access control (Authorization)

The first two can be done through OAuth and OpenID Connect.

Using the banking application example again, this would be the dance (The OAuth authorization code flow) between the user agreeing to let the third party application connect to the banking application and verifying they are who they claim to be.

OAuth and OIDC help us establish the end user’s identity as well as their consent to share a subset of features between the calling application and the targeted application.

That doesn’t really tell us what the caller can do overall on the application’s data.

Access control or authorization is the stage where policies are going to be defined to determine what can or can’t happen.

In the above example, this would be things like whether the calling application can view loans, pay loans or cancel them.

When an authorization solution like Axiomatics is brought in, it could be called from the application, API layer or the API gateway.

The key reason to connect the solution to the API gateway is that it is configuration-based. This means authorization isn’t hard-coded into the API or the application, so all of the updates to access control can be done through Axiomatics and linked to the gateway.

When doing this it is important to guarantee that all of the calls to the underlying application go through the API gateway as if some go through the API or the application directly then that point isn’t being authorized.

The API gateway acts as a super-PEP

Policy enforcement points (PEPs) are important as they transform business/application requests to authorization requests.

PEPs can be placed anywhere, but the benefit of having a PEP inside an API gateway (or an API gateway acting as a PEP) is that it’s nearly always 100% configuration-driven. There is zero code or customization needed.

If you have the PEP in the API itself, then everyone must understand how the API was written in order to build a compatible PEP that has to be maintained.

Why is authorization needed in an API gateway?

API gateways need authorization to ensure users can only access the resources they need under the correct conditions.

This is done by writing policies, which can be written with an authorization solution like Axiomatics.

The benefit of using a vendor for an authorization solution is that we can scale as your enterprise grows, align with internal stakeholders, and we have years of experience with authorization to help you along the way.

Request a demo with one of our solution experts to see how easy it is to write and deploy policies within an API gateway.


  Join us on LinkedIn for more insights
Archived under:
About the author

As Chief Technology Officer, David has experience leading the design and development of Salesforce’s identity offering including customer identity and access management (CIAM). He is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standard-based authorization as part of an overall IAM implementation.