book

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

March 2025

Intermediate to advanced

390 pages

10h 55m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Foreword
Preface
Why We Wrote This BookWho This Book Is ForWhat You Will LearnCloud Native EnvironmentsWhat This Book Is NotUsing Code ExamplesTerminologyThis Book’s StructureConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
I. Introducing Cloud Native OAuth
1. Why Do You Need OAuth?
API-First SecurityWhat Is OAuth 2.0?Zero Trust SecurityAPIs with Perimeter SecurityAPIs with Infrastructure SecurityAPIs with Token-Based SecurityZero Trust for ClientsZero Trust for UsersAPI Supporting ComponentsCloud Native PlatformsSummary
2. OAuth 2.0 Distilled
RolesThe Abstract FlowThe Access TokenClient CapabilitiesPublic and Confidential ClientsThe Code FlowThe Device FlowThe Client Credentials FlowThe Refresh Token FlowOutdated FlowsOpenID ConnectThe Hybrid FlowUser InfoOAuth EvolutionSessions and LifecycleThe Revoke FlowTerminating SSOSummary
3. Security Architecture
What Is an API Security Architecture?Functions in the API Security ArchitectureIdentity ManagementAPI ManagementEntitlement ManagementThe Role of the ClientThe Role of the Access TokenWhat Security Components Do You Need?The Role of the Authorization ServerThe Role of the API GatewayThe Role of the Policy EngineAPI ResponsibilitiesClient ResponsibilitiesOperating Security ComponentsExtending OAuthSummary
4. OAuth Data Design
Authorization Server DataOAuth Configuration SettingsDesigning User AccountsPersonal DataBusiness User AttributesAPI User IdentitiesIdentity OperationsUser Management APIsMultiregionMultitenancyUser Migration Code ExampleSummary
II. Securing APIs with Tokens
5. Secure API Development
Unified API Security with JWT Access TokensValidating JWT Access TokensJSON Web KeysRotating Token Signing KeysJWT Standard ClaimsJWT Validation Best PracticesJWT Validation CodeAPI Authorization LogicUse Scopes for Coarse-Grained AuthorizationUse Claims for Fine-Grained AuthorizationDesign for FlexibilityHandling Token Expiry in APIsTesting Zero Trust APIsAPI Code ExampleSummary
6. Access Token Design
The Access Token ContractPublish the ContractVersion the ContractUnderstanding Token ScopeOpenID Connect ScopesHigh Privilege ScopesUnderstanding Token ClaimsWhat Constitutes a Good Claim?Relation of Claims to ScopesThe Audience ClaimData Sources for ClaimsObtaining the User’s ConsentManaging Access Tokens at ScaleScaling ScopesScaling ClaimsDesigning Token SharingToken ExchangeEmbedding Tokens in TokensAPI IntegrationsTokens for Asynchronous CommunicationSummary

7. Secure Access Tokens
Secure Access Token RequirementsAccess Token FormatsJWT Access TokensEncrypted JWT Access TokensOpaque Access TokensWrapped Opaque Access TokensAccess Token DeliveryIntrospectionThe Phantom Token PatternThe Split Token PatternHardening Access TokensChoose a JWT Signature AlgorithmUse Proof of PossessionStrengthen Browser CredentialsUse Least-Privilege Access TokensLimit Access Token LifetimesPlan for Token RevocationFollow Secure Development PracticesSummary
8. Proxies, Gateways, and Sidecars
HTTP Proxies, Ingress, and EgressThe API Gateway RoleExposing APIs in KubernetesConfigure NetworkingDeploy the API GatewayUse Ingress Resource to Expose APIsUse Gateway API Resources to Expose APIsChoose an Extensible GatewayTerminating TokensTermination of Opaque TokensTermination of Secure CookiesTermination of Sender-Constrained TokensAPI Gateways and Zero TrustThe Service Mesh RoleAPI Gateway Extensibility ExampleCreate a ClusterDeploy the API GatewayDeploy the Authorization ServerDeploy the Example APIRun an OAuth ClientUse the API Gateway Plug-inSummary
9. Entitlements
Access Control ModelsRole-Based Access ControlRelationship-Based Access ControlAttribute-Based Access ControlThe Principle of Least PrivilegeThe Role of Token-Based AuthorizationBenefits of an Entitlement Management SystemFlexibilityAuditabilitySecurity AgilityQuality Assurance via Policy as CodeScalable AuthorizationPolicyPolicy Administration PointPolicy Retrieval PointPolicy Decision PointPolicy Enforcement PointPolicy Information PointOpen Policy AgentWriting Policies in OPALoading External DataClaims-Based AuthorizationDecision ResultsAuditing Authorization DecisionsPolicy Retrieval in OPAExample DeploymentSummary
III. Operating Cloud Native OAuth
10. Workload Identities
Workload Identity IssuanceImplementing Request ConfidentialityRestricting Workload AccessHardening CredentialsUsing Platform-Issued JWTs as CredentialsUsing X.509 SVIDs as CredentialsHardening Bearer TokensLimitations of Workload IdentitiesWorkload Identities Code ExampleBase SetupUsing Workload Identities TransparentlyUsing JWT Workload IdentitiesUsing X.509 Workload IdentitiesSummary
11. Managing a Cloud Native Authorization Server
HostingComponentsClusteringAddressabilityDeploymentBuild ProcessEnvironment ConfigurationDeployment ProcessUpgradesData OperationUser Account UpdatesConfiguration UpdatesReliabilityHigh AvailabilityFast Problem ResolutionSecurity AuditingSummary
IV. Securing API Clients
12. OAuth for Native Applications
The Code FlowImplementing OAuth ClientsOAuth for Desktop ApplicationsOAuth for Mobile ApplicationsDevice Secure StorageHardening SecurityDynamic Client RegistrationUnique Keys Per DeviceApplication AttestationBrowserless User AuthenticationCode ExamplesConsole ApplicationDesktop ApplicationMobile ApplicationsSummary
13. OAuth for Browser-Based Applications
Web Application BasicsWebsite Versus Web ApplicationWeb Application ArchitectureBrowser-Based ApplicationsBrowser Security ThreatsClickjackingCross-Site Request ForgeryCross-Site ScriptingWeb Security MechanismsSame-Origin PolicyContent Security PolicySecure Cookie SettingsCross-Origin Resource SharingImplementing OAuth Using JavaScriptObtaining TokensPublic ClientsSilent AuthenticationRefreshing TokensToken StorageImplementing OAuth Using a Backend for FrontendThe BFF OAuth ClientThe BFF API RouterAPI-Driven ImplementationsThe BFF API InterfaceWeb Developer ExperienceHardening OAuth SecurityUsing Cookies in API RequestsDeployment ChoicesScaling DeploymentsChoosing a BFF ImplementationBrowser-Based Application Code ExampleOAuth AgentAPI Gateway RoutesOAuth ProxyBrowser-Based ApplicationSummary
14. User Authentication
Modern Authentication FlowsUser Authentication MethodsPasswordsExternal Identity ProvidersOne-Time PasswordsPasswordless AuthenticationIdentity ProofingCustom User AuthenticationUser Authentication TechniquesMultifactor AuthenticationStep-Up AuthenticationSingle Sign-OnChanging Authentication MethodsAccount LinkingAuthentication ActionsAuthentication SelectionUser Authentication LifecycleCustomization of User FormsUser OnboardingAccount RecoveryDenying AccessUser DecommissioningZero Trust User Authentication ExampleSummary
Index
About the Authors

Content preview from Cloud Native Data Security with OAuth

Chapter 9. Entitlements

You have seen how to design and work with access tokens so that you create a secure solution from the authorization server’s token issuance to clients sending the tokens to APIs. Eventually, the access token is a credential that your APIs use to perform authorization decisions, and you should understand what authorization techniques you can apply to it.

In this chapter, we introduce you to common models for designing entitlements and access control policies. We discuss how you can evolve your access control mechanisms with an entitlement management system (EMS) that makes sure that APIs grant users the right entitlements at the right time in a consistent and scalable manner with the help of the OAuth access token. To demonstrate the theory, we look into Open Policy Agent (OPA) and the relevant features as part of an EMS. Finally, we showcase our arguments with an end-to-end example that connects all the dots.

Access Control Models

Access control (aka authorization) is a security primitive that determines who can access what, in which way, and in what context. It distinguishes between the subject, that is, the entity requesting access; the object, that is, the protected resource like the user’s order history or company files; and the action, that is, what the subject is trying to do with the object (like read or write). Authentication is an important prerequisite for access controls to reliably identify the subject (“who”). In OAuth, the access token can ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098164874Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

Chapter 9. Entitlements

Access Control Models

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.