TWIL: February 13, 2022
Following on last week’s path, several articles on WSO2 API Manager and WSO2 Identity Server, but also an interesting article on micro-frontends and a cool repo with security hardening guides, best practices, checklists, benchmarks, tools and other resources. Enjoy.
What the heck is PKCE?
PKCE is short for Proof Key for Code Exchange. It is a mechanism that came into being to make the use of OAuth 2.0 Authorization Code grant more secure in certain cases. The basic idea behind PKCE is proof of possession. The client app should give proof to the authorization server that the authz code belongs to the client app in order for the authorization server to issue an access token for the client app.
PKCE: What and Why?
PKCE provides dynamic client secrets, meaning your app’s client secrets can stay secret (even without a back end for your app). PKCE is better and more secure than the implicit flow (AKA the “token flow”). If you’re using the implicit flow, then you should switch to PKCE. If you use an implicit flow to authorize your Dropbox app, then PKCE is a better, more secure replacement, and you should no longer use implicit flow.
WSO2 API Manager
This week I was trying to learn as much as possible about WSO2 API Manager, as well as WSO2 Identity Server, to understand the product’s features and how it handles a set of use cases. These are some of the resources I went through.
WSO2 API Manager Documentation
WSO2 API Manager is a fully open-source API management platform. It supports API designing, API publishing, lifecycle management, application development, API security, rate limiting, viewing statistics of APIs, as well as connecting APIs, API Products, and endpoints.
WSO2 API Manager Architecture
The API Manager consists of an API management layer and an integration layer where the components all fit into and mesh together to address the various use cases of the product. The API management layer contains several components, which you can use in your deployment according to your requirement. The integration layer includes either the Micro Integrator runtime (for services integration) and the Streaming Integrator runtime (for streaming requirements) or both runtimes.
WSO2 Rate Limiting Use Cases
Rate limiting allows you to limit the number of successful hits to an API during a given period, typically in cases such as to protect your APIs from common types of security attacks (e.g. Denial of Service attacks), to regulate traffic according to infrastructure availability or to make an API, application, or a resource available to a consumer at different levels of service, usually for monetization purposes.
Authorization Code Grant with PKCE to Invoke Your APIs via Mobile/Single-Page Applications
Public clients, such as mobile or single-page applications, are bound to encounter security threats when requesting access tokens over Authorization Code flow alone. This is because mobile apps cannot securely store a client secret. Decompiling the mobile app will reveal the client secret. Another security challenge is that authorization code can be intercepted by third-party applications. When it comes to single-page apps, such apps cannot securely store a client secret because their entire source is available to the browser. To mitigate these security threats, OAuth 2.0 recommends Proof Key for Code Exchange (PKCE) as an extension to the authorization code flow to securely perform access token exchange using public clients.
PKCE in Action with WSO2 Identity Server
Let’s see how PKCE works with OAuth 2.0 Authorization Code Grant using the WSO2 Identity Server.
WSO2: Secure Endpoint with OAuth 2.0
A secured endpoint is when you have access-protected resources. WSO2 API Manager supports Basic Authentication, Digest Authentication, and OAuth 2.0. They differ on how the credentials are communicated and how access is granted by the backend server. OAuth 2.0 is the industry-standard delegation protocol for authorization and focuses on client developer simplicity while providing specific authorization flows for applications. In other words, OAuth 2.0 enables an application to obtain limited access to an HTTP service, without actually revealing a resource owner’s long-term credentials or identity.
How to write Custom Claim Provider in WSO2 Identity Server
In WSO2 Identity Server, we can write custom claim provider as an OSGI service to add new claims to ID token in OpenID Connect protocol. According to the current implementation, we have an extension point to write a custom claim provider which can be plugged in to inject claims into ID Token. Through this blog, I will share how to write a custom claim provider.
How Micro-frontend frameworks are replacing legacy monoliths
A micro frontend is a modular piece of an application that can co-exist with other micro frontends in a shared ecosystem. It can be thought of as a UI fragment that is decoupled from a large monolith application.
Awesome Security Hardening
A collection of awesome security hardening guides, best practices, checklists, benchmarks, tools and other resources.
Have an awesome week!