Securing your APIs
Protect your APIs from unauthorized access by applying authentication and authorization controls. IBM® API Connect supports multiple security mechanisms that you can apply depending on your gateway type and your security requirements.
Overview
When you expose an API, you expose application logic and potentially sensitive data. Without security controls, APIs are vulnerable to unauthorized access, misuse, and abuse. IBM API Connect provides a range of security mechanisms that you can use to control who can call your APIs and how they must authenticate.
API security in IBM API Connect works at two levels:
- Identity and access control: Determines who is allowed to call the API. You configure this by defining security schemes (for DataPower gateways) or by applying an Identify and Authorize policy (for the Nano Gateway and webMethods API Gateway).
- Transport security: Secures the connection between the client and the gateway, and between the gateway and the backend service, using TLS profiles.
The security mechanisms available to you depend on which gateway type your API is deployed to:
- DataPower API Gateway: Security is configured using security scheme definitions in the OpenAPI specification, combined with assembly policies such as User Security, Client Security, Validate JWT, and Generate JWT.
- DataPower Nano Gateway: Security is configured using built-in policies in the API assembly, including Extract Identity, Authenticate, and Authorize.
- webMethods API Gateway: Security is configured using the Identify and Authorize policy, which supports a wide range of authentication types including API key, OAuth 2.0, JWT, HTTP Basic, Kerberos, and certificate-based authentication.
Securing APIs on the DataPower API Gateway
For APIs deployed to the DataPower API Gateway, you secure an API by completing the following steps:
- Define a security scheme: A security scheme specifies the authentication mechanism that
callers must use. The following security scheme types are supported:
Security scheme type Description API key Requires the caller to provide a client ID, or a client ID and client secret, in the request. This is the most common mechanism for identifying applications that subscribe to your API. Basic authentication Requires the caller to provide a username and password, validated against a user registry or authentication URL. OAuth2 Requires the caller to present a valid OAuth 2.0 access token. Supports multiple grant types including Authorization Code, Client Credentials, Resource Owner Password, and Implicit. Requires an OAuth provider to be configured. HTTP Bearer (OpenAPI 3.0 only) Requires the caller to present a Bearer token in the Authorization header. Use this with the Validate JWT policy to validate JSON Web Tokens. OpenID Connect (OpenAPI 3.0 only) Requires the caller to authenticate using an OIDC provider. Requires a native OAuth provider with OIDC settings configured. For OpenAPI 3.0 APIs, see Defining security scheme components.
- Apply the security scheme to the API or operation: After defining a security scheme, you must apply it to the API as a security requirement. You can apply security at the API level (applies to all operations) or override it at the individual operation level. For details,, see Enforcing security requirements on an API and Enforcing security requirements on an operation.
- Optionally add assembly security policies: For advanced scenarios, you can add security
policies to the API assembly to extend or customize authentication processing:
- User Security: Extracts user credentials, authenticates them, and obtains authorization. Use this in OAuth provider assemblies or when you need custom authentication logic.
- Client Security: Extends client authentication beyond what is defined in the OpenAPI specification. Use this when you need additional application identification options.
- Validate JWT: Validates a JSON Web Token in the request before allowing access.
- Generate JWT: Generates a JWT for use in downstream requests.
Securing APIs on the DataPower Nano Gateway
For APIs deployed to the DataPower Nano Gateway, security is configured entirely through assembly policies. The following security-related built-in policies are available:
| Policy | Description |
|---|---|
| Extract Identity | Extracts identity attributes from tokens or headers and stores them in context for use by downstream policies. |
| Authenticate | Validates the client identity using the configured authentication provider. |
| Authorize | Enforces access control by checking roles or permissions after authentication. |
| IBM Cloud Login | Authenticates clients using IBM Cloud App ID. |
| Set Authorization | Sets outbound authorization information for backend requests. |
| SQL Injection Filter | Detects and blocks SQL injection patterns in incoming requests. |
| CORS | Applies Cross-Origin Resource Sharing rules for browser-based clients. |
For a full list of Nano Gateway policies, see Built-in policies.
Securing APIs on the webMethods API Gateway
For APIs deployed to the webMethods API Gateway, security is configured using the Identify and Authorize policy. This policy supports the following authentication types:
| Authentication type | Description |
|---|---|
| API key | Identifies the application using an API key in the request. |
| HTTP Basic | Identifies and authenticates the application using a username and password in the Authorization header. |
| OAuth 2.0 | Identifies the application using an OAuth 2.0 access token. Supports internal and external authorization servers. |
| JWT | Identifies the application using a JSON Web Token, validating claims against configured providers. |
| OpenID Connect | Identifies the application using an OpenID Connect ID token. |
| Kerberos | Identifies the application using a Kerberos token (SOAP APIs only). |
| Certificate | Identifies the application using an SSL client certificate. |
| IP address | Identifies the application by its IP address range. |
| Hostname | Identifies the application by its hostname. |
| HTTP headers | Identifies the application using custom HTTP headers. |
| Payload element | Identifies the application using a value extracted from the request payload. |
Applying security globally
In addition to securing individual APIs, you can apply security policies globally across all APIs in a catalog or gateway:
- For DataPower gateways, use global policies to enforce security requirements on all APIs without modifying individual API definitions.
- For the webMethods API Gateway, use global policies to apply security configurations across all APIs at a gateway-wide level.
Related information
The following topics provide additional detail on specific security mechanisms: