backwater / Adedotun Ajibade

This blog post continues our discussion of Authorization in the API space. It will explore common authorization patterns with API Gateways and the backend API Providers. Generally, the API Gateway will apply a Coarse Grained Authorization (CGA) decision and the API Provider will implement Fine Grained Authorization decisions. This authorization model is built on top of the concept of End-to-End, Secure Identity Propagation that was introduced in an early blog post. In complex deployments, the ideas presented in “OAuth2 Access Tokens and Multiple Resources (APIs) Series” will be another important building block to what is presented here.


Let’s make some…

palmgroove / Adedotun Ajibade


This blog post expands on delegation and related concepts introduced in my Kerberos Delegation blog post. It also brings together two blog series I’ve been working on over the years: SAML2 vs. JWT Series and Kerberos and Windows Security Series. Delegation is a critical building block of end-to-end secure identity propagation. The concept exits in several identity protocols including Kerberos, OAuth2 Token Exchange, and WS-Trust. A weaker form of it also exists in three-legged OAuth in OAuth v2.0.

What is Delegation?

In various specifications over the years, this term has been used to describe a system’s need to take actions for a user…

Nature Art / mynikfoto

In this next post in the Kerberos and Windows Security Series, we are going to explore a very useful, but abstract feature of the Kerberos Authentication Protocol: Delegation. In particular, we are going to focus on the Windows implementation of this feature. Delegation allows downstream actors to interact with other services on behalf of the original authenticated user without that users credentials having to be provided directly to the downstream actors. …

Grain / Kamil Porembiński

The use of HTTP POST vs HTTP GET for read-only (or query) operations in REST APIs recently came up in a conversation. For this particular shop, there had been a long-standing ban on the use of GET requests for use in homegrown applications. This had been the case since before REST APIs were in common use and traditional web applications (server-side generated HTML) were the standard architecture. The only problem was no one really knew or remembered why it wasn’t allowed — just that it was “insecure”. …

Ankor Wat / Rob Tiggelman

There are several approaches to securing APIs. Every API Gateway vendor supports the same core set of API security mechanisms. API Keys and OAuth2 are two examples of these authentication (plus authorization) mechanism. When should one be used over the other? What are the differences between the two if they both use JSON Web Tokens (JWT)? I was at a client site a while back when this topic came up. Okay, it was actually several years ago. I’m that far behind in writing blog posts:). Regardless, the topic is still relevant.

Before we jump into API Keys and OAuth2, we…

Ankor Wat / Ramiro Ramirez

There are many ways to implement user authentication in a modern application (mobile, desktop, tablet, web, etc). I have previously explored Authentication, Federation, and SSO; that post introduces several key concepts that are assumed here. At the intersection of user experience, authentication, supportability, and general security is the question of how is the user authenticated? There are many ways of doing this; from an end-user perspective, there may not be a noticeable difference between the approaches. From an overall identity capability perspective, the approach matters. We aren’t just talking about the difference between using a username and password validated against…

dmytrok / more

This post continues where “SECURELY USING THE OIDC AUTHORIZATION CODE FLOW AND A PUBLIC CLIENT WITH SINGLE PAGE APPLICATIONS” left off on the topic of securing Single Page Applications (SPAs). That post describes an architecture where the SPA running in the browser (User Agent)is acting as the OAuth2 Client. That is my preferred approach to using OAuth2 with SPAs, but it isn’t the only way of doing it. Let’s assume that the OAuth2 Authorization Code Grant or OIDC Authentication Flow is still used. One could alternatively make a server-side component (web server, application server, API Gateway) be the OAuth2 Client…

dr.larsbergmann / green pattern

This post contains links to all the articles about authorization that I have written.

The word authorization is used to describe several different concepts that are very similar, but distinct. These include:

  • Authorization decision for application access: Coarse Grained Authorization
  • Authorization decision for application access: Fine Grained Authorization
  • Token issuance
  • Delegated access (as described in the OAuth2 RFC)

Confusing these concepts can lead to messy architectures, insecure systems, and really confusing conversations.

In the following blog posts, I describe these topics and more.

Image: dr.larsbergmann / green pattern

Tree of life / Jack Wallsten

This post was originally published as “OAUTH2 ACCESS TOKEN USAGE STRATEGIES FOR MULTIPLE RESOURCES (APIS): PART 3” on the Ping Identity Blog.

In the first two posts of this series, OAuth2 Access Token Usage Strategies for Multiple Resources (APIs): Part 1 and OAuth2 Access Token Usage Strategies for Multiple Resources (APIs): Part 2, we examined different approaches to reusing OAuth2 Access Tokens for different resources (APIs advertised on an API Gateway).

We looked at how OAuth2 Scopes and a concept of audience (or limitation of what service a token is valid for) impacts the reusability of these tokens. We looked…

My focus within Information Technology is API Management, Integration, and Identity–especially where these three intersect.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store