book

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

March 2025

Intermediate to advanced

390 pages

10h 55m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Foreword
Preface
Why We Wrote This BookWho This Book Is ForWhat You Will LearnCloud Native EnvironmentsWhat This Book Is NotUsing Code ExamplesTerminologyThis Book’s StructureConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
I. Introducing Cloud Native OAuth
1. Why Do You Need OAuth?
API-First SecurityWhat Is OAuth 2.0?Zero Trust SecurityAPIs with Perimeter SecurityAPIs with Infrastructure SecurityAPIs with Token-Based SecurityZero Trust for ClientsZero Trust for UsersAPI Supporting ComponentsCloud Native PlatformsSummary
2. OAuth 2.0 Distilled
RolesThe Abstract FlowThe Access TokenClient CapabilitiesPublic and Confidential ClientsThe Code FlowThe Device FlowThe Client Credentials FlowThe Refresh Token FlowOutdated FlowsOpenID ConnectThe Hybrid FlowUser InfoOAuth EvolutionSessions and LifecycleThe Revoke FlowTerminating SSOSummary
3. Security Architecture
What Is an API Security Architecture?Functions in the API Security ArchitectureIdentity ManagementAPI ManagementEntitlement ManagementThe Role of the ClientThe Role of the Access TokenWhat Security Components Do You Need?The Role of the Authorization ServerThe Role of the API GatewayThe Role of the Policy EngineAPI ResponsibilitiesClient ResponsibilitiesOperating Security ComponentsExtending OAuthSummary
4. OAuth Data Design
Authorization Server DataOAuth Configuration SettingsDesigning User AccountsPersonal DataBusiness User AttributesAPI User IdentitiesIdentity OperationsUser Management APIsMultiregionMultitenancyUser Migration Code ExampleSummary
II. Securing APIs with Tokens
5. Secure API Development
Unified API Security with JWT Access TokensValidating JWT Access TokensJSON Web KeysRotating Token Signing KeysJWT Standard ClaimsJWT Validation Best PracticesJWT Validation CodeAPI Authorization LogicUse Scopes for Coarse-Grained AuthorizationUse Claims for Fine-Grained AuthorizationDesign for FlexibilityHandling Token Expiry in APIsTesting Zero Trust APIsAPI Code ExampleSummary
6. Access Token Design
The Access Token ContractPublish the ContractVersion the ContractUnderstanding Token ScopeOpenID Connect ScopesHigh Privilege ScopesUnderstanding Token ClaimsWhat Constitutes a Good Claim?Relation of Claims to ScopesThe Audience ClaimData Sources for ClaimsObtaining the User’s ConsentManaging Access Tokens at ScaleScaling ScopesScaling ClaimsDesigning Token SharingToken ExchangeEmbedding Tokens in TokensAPI IntegrationsTokens for Asynchronous CommunicationSummary

7. Secure Access Tokens
Secure Access Token RequirementsAccess Token FormatsJWT Access TokensEncrypted JWT Access TokensOpaque Access TokensWrapped Opaque Access TokensAccess Token DeliveryIntrospectionThe Phantom Token PatternThe Split Token PatternHardening Access TokensChoose a JWT Signature AlgorithmUse Proof of PossessionStrengthen Browser CredentialsUse Least-Privilege Access TokensLimit Access Token LifetimesPlan for Token RevocationFollow Secure Development PracticesSummary
8. Proxies, Gateways, and Sidecars
HTTP Proxies, Ingress, and EgressThe API Gateway RoleExposing APIs in KubernetesConfigure NetworkingDeploy the API GatewayUse Ingress Resource to Expose APIsUse Gateway API Resources to Expose APIsChoose an Extensible GatewayTerminating TokensTermination of Opaque TokensTermination of Secure CookiesTermination of Sender-Constrained TokensAPI Gateways and Zero TrustThe Service Mesh RoleAPI Gateway Extensibility ExampleCreate a ClusterDeploy the API GatewayDeploy the Authorization ServerDeploy the Example APIRun an OAuth ClientUse the API Gateway Plug-inSummary
9. Entitlements
Access Control ModelsRole-Based Access ControlRelationship-Based Access ControlAttribute-Based Access ControlThe Principle of Least PrivilegeThe Role of Token-Based AuthorizationBenefits of an Entitlement Management SystemFlexibilityAuditabilitySecurity AgilityQuality Assurance via Policy as CodeScalable AuthorizationPolicyPolicy Administration PointPolicy Retrieval PointPolicy Decision PointPolicy Enforcement PointPolicy Information PointOpen Policy AgentWriting Policies in OPALoading External DataClaims-Based AuthorizationDecision ResultsAuditing Authorization DecisionsPolicy Retrieval in OPAExample DeploymentSummary
III. Operating Cloud Native OAuth
10. Workload Identities
Workload Identity IssuanceImplementing Request ConfidentialityRestricting Workload AccessHardening CredentialsUsing Platform-Issued JWTs as CredentialsUsing X.509 SVIDs as CredentialsHardening Bearer TokensLimitations of Workload IdentitiesWorkload Identities Code ExampleBase SetupUsing Workload Identities TransparentlyUsing JWT Workload IdentitiesUsing X.509 Workload IdentitiesSummary
11. Managing a Cloud Native Authorization Server
HostingComponentsClusteringAddressabilityDeploymentBuild ProcessEnvironment ConfigurationDeployment ProcessUpgradesData OperationUser Account UpdatesConfiguration UpdatesReliabilityHigh AvailabilityFast Problem ResolutionSecurity AuditingSummary
IV. Securing API Clients
12. OAuth for Native Applications
The Code FlowImplementing OAuth ClientsOAuth for Desktop ApplicationsOAuth for Mobile ApplicationsDevice Secure StorageHardening SecurityDynamic Client RegistrationUnique Keys Per DeviceApplication AttestationBrowserless User AuthenticationCode ExamplesConsole ApplicationDesktop ApplicationMobile ApplicationsSummary
13. OAuth for Browser-Based Applications
Web Application BasicsWebsite Versus Web ApplicationWeb Application ArchitectureBrowser-Based ApplicationsBrowser Security ThreatsClickjackingCross-Site Request ForgeryCross-Site ScriptingWeb Security MechanismsSame-Origin PolicyContent Security PolicySecure Cookie SettingsCross-Origin Resource SharingImplementing OAuth Using JavaScriptObtaining TokensPublic ClientsSilent AuthenticationRefreshing TokensToken StorageImplementing OAuth Using a Backend for FrontendThe BFF OAuth ClientThe BFF API RouterAPI-Driven ImplementationsThe BFF API InterfaceWeb Developer ExperienceHardening OAuth SecurityUsing Cookies in API RequestsDeployment ChoicesScaling DeploymentsChoosing a BFF ImplementationBrowser-Based Application Code ExampleOAuth AgentAPI Gateway RoutesOAuth ProxyBrowser-Based ApplicationSummary
14. User Authentication
Modern Authentication FlowsUser Authentication MethodsPasswordsExternal Identity ProvidersOne-Time PasswordsPasswordless AuthenticationIdentity ProofingCustom User AuthenticationUser Authentication TechniquesMultifactor AuthenticationStep-Up AuthenticationSingle Sign-OnChanging Authentication MethodsAccount LinkingAuthentication ActionsAuthentication SelectionUser Authentication LifecycleCustomization of User FormsUser OnboardingAccount RecoveryDenying AccessUser DecommissioningZero Trust User Authentication ExampleSummary
Index
About the Authors

Content preview from Cloud Native Data Security with OAuth

Chapter 10. Workload Identities

Once you complete your API authorization and deploy your APIs to Kubernetes, you are likely to have some further API security requirements, since OAuth alone does not solve all API security problems. Some security best practices, like hardening of containers and authorizing access to Kubernetes cluster resources, are outside the scope of this book. Instead, we want to highlight some characteristics of cloud native environments that can help to meet the following OAuth-related requirements:

Malicious parties must be unable to read confidential internal API traffic.
Only trusted clients must be able to reach the target APIs.
Malicious parties must be unable to impersonate your APIs by using its secrets.
Malicious parties must be unable to gain API access with a stolen token.

Cloud native infrastructure security provides additional building blocks that allow you to harden your API’s security by leveraging workload identities. A workload is a piece of software such as a microservice running in Kubernetes. A workload identity is a set of attributes including a workload identifier that describe a workload. Workloads can prove their identity via a cryptographically verifiable credential.

In Kubernetes, you commonly deploy workloads as a Deployment containing a ReplicaSet with one or more pods. Each pod contains the application container and zero or more sidecar containers. Platform components can provide each workload a cryptographically verifiable ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098164874Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

Chapter 10. Workload Identities

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.