book

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

March 2025

Intermediate to advanced

390 pages

10h 55m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Foreword
Preface
Why We Wrote This BookWho This Book Is ForWhat You Will LearnCloud Native EnvironmentsWhat This Book Is NotUsing Code ExamplesTerminologyThis Book’s StructureConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
I. Introducing Cloud Native OAuth
1. Why Do You Need OAuth?
API-First SecurityWhat Is OAuth 2.0?Zero Trust SecurityAPIs with Perimeter SecurityAPIs with Infrastructure SecurityAPIs with Token-Based SecurityZero Trust for ClientsZero Trust for UsersAPI Supporting ComponentsCloud Native PlatformsSummary
2. OAuth 2.0 Distilled
RolesThe Abstract FlowThe Access TokenClient CapabilitiesPublic and Confidential ClientsThe Code FlowThe Device FlowThe Client Credentials FlowThe Refresh Token FlowOutdated FlowsOpenID ConnectThe Hybrid FlowUser InfoOAuth EvolutionSessions and LifecycleThe Revoke FlowTerminating SSOSummary
3. Security Architecture
What Is an API Security Architecture?Functions in the API Security ArchitectureIdentity ManagementAPI ManagementEntitlement ManagementThe Role of the ClientThe Role of the Access TokenWhat Security Components Do You Need?The Role of the Authorization ServerThe Role of the API GatewayThe Role of the Policy EngineAPI ResponsibilitiesClient ResponsibilitiesOperating Security ComponentsExtending OAuthSummary
4. OAuth Data Design
Authorization Server DataOAuth Configuration SettingsDesigning User AccountsPersonal DataBusiness User AttributesAPI User IdentitiesIdentity OperationsUser Management APIsMultiregionMultitenancyUser Migration Code ExampleSummary
II. Securing APIs with Tokens
5. Secure API Development
Unified API Security with JWT Access TokensValidating JWT Access TokensJSON Web KeysRotating Token Signing KeysJWT Standard ClaimsJWT Validation Best PracticesJWT Validation CodeAPI Authorization LogicUse Scopes for Coarse-Grained AuthorizationUse Claims for Fine-Grained AuthorizationDesign for FlexibilityHandling Token Expiry in APIsTesting Zero Trust APIsAPI Code ExampleSummary
6. Access Token Design
The Access Token ContractPublish the ContractVersion the ContractUnderstanding Token ScopeOpenID Connect ScopesHigh Privilege ScopesUnderstanding Token ClaimsWhat Constitutes a Good Claim?Relation of Claims to ScopesThe Audience ClaimData Sources for ClaimsObtaining the User’s ConsentManaging Access Tokens at ScaleScaling ScopesScaling ClaimsDesigning Token SharingToken ExchangeEmbedding Tokens in TokensAPI IntegrationsTokens for Asynchronous CommunicationSummary

7. Secure Access Tokens
Secure Access Token RequirementsAccess Token FormatsJWT Access TokensEncrypted JWT Access TokensOpaque Access TokensWrapped Opaque Access TokensAccess Token DeliveryIntrospectionThe Phantom Token PatternThe Split Token PatternHardening Access TokensChoose a JWT Signature AlgorithmUse Proof of PossessionStrengthen Browser CredentialsUse Least-Privilege Access TokensLimit Access Token LifetimesPlan for Token RevocationFollow Secure Development PracticesSummary
8. Proxies, Gateways, and Sidecars
HTTP Proxies, Ingress, and EgressThe API Gateway RoleExposing APIs in KubernetesConfigure NetworkingDeploy the API GatewayUse Ingress Resource to Expose APIsUse Gateway API Resources to Expose APIsChoose an Extensible GatewayTerminating TokensTermination of Opaque TokensTermination of Secure CookiesTermination of Sender-Constrained TokensAPI Gateways and Zero TrustThe Service Mesh RoleAPI Gateway Extensibility ExampleCreate a ClusterDeploy the API GatewayDeploy the Authorization ServerDeploy the Example APIRun an OAuth ClientUse the API Gateway Plug-inSummary
9. Entitlements
Access Control ModelsRole-Based Access ControlRelationship-Based Access ControlAttribute-Based Access ControlThe Principle of Least PrivilegeThe Role of Token-Based AuthorizationBenefits of an Entitlement Management SystemFlexibilityAuditabilitySecurity AgilityQuality Assurance via Policy as CodeScalable AuthorizationPolicyPolicy Administration PointPolicy Retrieval PointPolicy Decision PointPolicy Enforcement PointPolicy Information PointOpen Policy AgentWriting Policies in OPALoading External DataClaims-Based AuthorizationDecision ResultsAuditing Authorization DecisionsPolicy Retrieval in OPAExample DeploymentSummary
III. Operating Cloud Native OAuth
10. Workload Identities
Workload Identity IssuanceImplementing Request ConfidentialityRestricting Workload AccessHardening CredentialsUsing Platform-Issued JWTs as CredentialsUsing X.509 SVIDs as CredentialsHardening Bearer TokensLimitations of Workload IdentitiesWorkload Identities Code ExampleBase SetupUsing Workload Identities TransparentlyUsing JWT Workload IdentitiesUsing X.509 Workload IdentitiesSummary
11. Managing a Cloud Native Authorization Server
HostingComponentsClusteringAddressabilityDeploymentBuild ProcessEnvironment ConfigurationDeployment ProcessUpgradesData OperationUser Account UpdatesConfiguration UpdatesReliabilityHigh AvailabilityFast Problem ResolutionSecurity AuditingSummary
IV. Securing API Clients
12. OAuth for Native Applications
The Code FlowImplementing OAuth ClientsOAuth for Desktop ApplicationsOAuth for Mobile ApplicationsDevice Secure StorageHardening SecurityDynamic Client RegistrationUnique Keys Per DeviceApplication AttestationBrowserless User AuthenticationCode ExamplesConsole ApplicationDesktop ApplicationMobile ApplicationsSummary
13. OAuth for Browser-Based Applications
Web Application BasicsWebsite Versus Web ApplicationWeb Application ArchitectureBrowser-Based ApplicationsBrowser Security ThreatsClickjackingCross-Site Request ForgeryCross-Site ScriptingWeb Security MechanismsSame-Origin PolicyContent Security PolicySecure Cookie SettingsCross-Origin Resource SharingImplementing OAuth Using JavaScriptObtaining TokensPublic ClientsSilent AuthenticationRefreshing TokensToken StorageImplementing OAuth Using a Backend for FrontendThe BFF OAuth ClientThe BFF API RouterAPI-Driven ImplementationsThe BFF API InterfaceWeb Developer ExperienceHardening OAuth SecurityUsing Cookies in API RequestsDeployment ChoicesScaling DeploymentsChoosing a BFF ImplementationBrowser-Based Application Code ExampleOAuth AgentAPI Gateway RoutesOAuth ProxyBrowser-Based ApplicationSummary
14. User Authentication
Modern Authentication FlowsUser Authentication MethodsPasswordsExternal Identity ProvidersOne-Time PasswordsPasswordless AuthenticationIdentity ProofingCustom User AuthenticationUser Authentication TechniquesMultifactor AuthenticationStep-Up AuthenticationSingle Sign-OnChanging Authentication MethodsAccount LinkingAuthentication ActionsAuthentication SelectionUser Authentication LifecycleCustomization of User FormsUser OnboardingAccount RecoveryDenying AccessUser DecommissioningZero Trust User Authentication ExampleSummary
Index
About the Authors

Content preview from Cloud Native Data Security with OAuth

Preface

When you build digital solutions, your users run applications that access data over the internet. These applications can run on browsers, mobile devices, servers, or any other platform. They have one thing in common, though: they are API clients, and that means they call APIs to access data. APIs must enable secure data access because the data they serve may include intellectual property, personal data belonging to citizens or users, or information belonging to business partners. To protect data and access to it, you must secure both APIs and the application fetching the data. Such security requirements can originate from compliance and regulatory initiatives. One example is the European Union’s General Data Protection Regulation (GDPR), which governs user privacy and consent.

Managing data security and privacy in APIs and API clients is a difficult problem that requires an architectural solution. Your APIs must process user identities correctly so that each user gains access to only the correct API resources. To achieve that, you must apply business authorization in APIs. The exact authorization rules depend, of course, on your business use cases. Ideally, you ensure that every API request from a client includes an unforgeable and least-privilege API message credential. This credential conveys business permissions. You first verify such a credential in the API before you enforce your particular rules. When you protect every API request in this manner, for both external ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098164874Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski

Preface

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.