Skip to content

Commit

Permalink
Update API-Security-Pattern.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@ttrit
ttrit committed Apr 14, 2023
1 parent 26a86c0 commit 7f0c033
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion vendor-neutral/API-Security-Pattern.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ On top of all these modern security frameworks, there are some enterprises who s
Sometimes as an enterprise solutions architect, you need to introduce new concepts like API management without modifying the existing applications and the user experience. If the end user applications are out of your control, you might not have the luxury of completely introducing a new security mechanism like OAuth2 with these applications. In such cases, you need to build your api management layer so that it can interoperate with the existing security mechanisms like SAML2, Kerberos, NTLM and build a token exchange mechanism around the applications. Users might not see the difference in security implementation since you can either have a token proxy at the enterprise level or develop some code at the client side applications to perform the token exchange.

### API Gateway and the Identity Provider
API Gateway (sometimes called as API Manager) is the runtime component which recieves all the requests from different users through applications. It is the duty of gateway to validate the user requests before calling the actual endpoints which provides the business information. API Gateway uses a special component to validate the user identities and the access control levels named as Identity Provider. It can be a fully fledged Identity and Access Management product or a component built as part of the same API Management product (e.g. Key Manager). This Identity Provider component takes care of all the security related tasks like
API Gateway (sometimes called as API Manager) is the runtime component which receives all the requests from different users through applications. It is the duty of gateway to validate the user requests before calling the actual endpoints which provides the business information. API Gateway uses a special component to validate the user identities and the access control levels named as Identity Provider. It can be a fully fledged Identity and Access Management product or a component built as part of the same API Management product (e.g. Key Manager). This Identity Provider component takes care of all the security related tasks like

- User management
- Key and token management (OAuth2 and OIDC)
Expand Down

0 comments on commit 7f0c033

Please sign in to comment.