Cloud Native Data Security with OAuth

Cloud Native Data Security with OAuth

by Gary Archer, Judith Kahrer, Michał Trojanowski
Released April 2025
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098164881

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon
Start your free trial

Book description

With the growth of cloud native applications, developers increasingly rely on APIs to make everything work. But security often lags behind, making APIs an attractive target for bad actors looking to access valuable business data. OAuth is a popular way to address this issue, but this open standard doesn't provide sufficient guidelines for using API tokens to protect business data. That alone can lead to vulnerabilities and invite data breaches.

By using cloud native components in Kubernetes or similar platforms, organizations can implement a scalable, future-proof security architecture for their systems that follows a zero-trust approach to protect business data. You'll access tokens, claims, and token design with an emphasis on an API-first approach. This book takes readers through an end-to-end security architecture that scales to many components in a cloud native environment, while only requiring simple security code in applications and APIs.

You'll learn:

  • Why user identity must be part of your cloud native security stack
  • How to integrate user identity into APIs
  • How to externalize security, secure data access, and authenticate clients using OAuth
  • Methods for running security components in a Kubernetes cluster
  • How to use claims to protect business data in APIs
  • How to follow security best practices for client applications and APIs

Publisher resources

View/Submit Errata

Table of contents

  1. Brief Table of Contents (Not Yet Final)
  2. I. Introducing Cloud Native OAuth
  3. 1. Why Do You Need OAuth?
    1. API-First Security
    2. What is OAuth 2.0?
    3. Zero-Trust Security
      1. APIs with Perimeter Security
      2. APIs with Infrastructure Security
      3. APIs with Token-Based Security
      4. Zero-Trust for Clients
      5. Zero-Trust for Users
    4. API Supporting Components
    5. Cloud Native Platforms
    6. Summary
  4. 2. OAuth 2.0 Distilled
    1. Roles
    2. The Abstract Flow
    3. The Access Token
    4. Client Capabilities
      1. Public and Confidential Clients
      2. The Code Flow
      3. Client Credentials Flow
      4. Refresh Token Flow
      5. Outdated Flows
    5. OpenID Connect
      1. The Hybrid Flow
      2. User Info
    6. OAuth Evolution
    7. Sessions and Lifecycle
      1. The Revoke Flow
      2. Terminating SSO
    8. Summary
  5. 3. Security Architecture
    1. What is an API Security Architecture?
    2. Functions in the API Security Architecture
      1. Identity Management
      2. API Management
      3. Entitlement Management
    3. The Role of the Client
    4. The Role of the Access Token
    5. What Security Components do you Need?
    6. The Role of the Authorization Server
    7. The Role of the API Gateway
    8. The Role of the Policy Engine
    9. API Responsibilities
    10. Client Responsibilities
    11. Operating Security Components
    12. Summary
  6. 4. OAuth Data Design
    1. Authorization Server Data
    2. OAuth Configuration Settings
    3. Designing User Accounts
      1. Personal Data
      2. Business User Attributes
      3. API User Identities
      4. Identity Operations
    4. User Management APIs
    5. Multi-Region
    6. Multi-Tenancy
    7. User Migration Code Example
    8. Summary
  7. 5. Secure API Development
    1. Unified API Security with JWT Access Tokens
    2. Validating JWT Access Tokens
      1. JSON Web Keys
      2. Rotating Token Signing Keys
      3. JWT Standard Claims
      4. JWT Validation Best Practices
      5. JWT Validation Code
    3. API Authorization Logic
      1. Use Scopes for Coarse-Grained Authorization
      2. Use Claims for Fine Grained Authorization
      3. Design for Flexibility
    4. Handling Token Expiry in APIs
    5. Testing Zero-Trust APIs
    6. API Code Example
    7. Summary
  8. II. Securing APIs with Tokens
  9. 6. Access Token Design
    1. The Access Token Content is a Contract
      1. The Contract is Not a Secret
      2. Altering the Contract
    2. Understanding Token Scope
      1. OpenID Connect Scopes
    3. Understanding Claims
      1. What Constitutes a Good Claim?
      2. Relation of Claims to Scopes
      3. The Audience Claim
      4. Data Sources For Claims
    4. Obtaining the User’s Consent
    5. Managing Access Tokens at Scale
      1. Scaling Scopes
      2. Scaling Claims
    6. Designing Tokens Shared Across Multiple APIs
      1. Token Exchange
      2. Embedding Tokens in Tokens
      3. Designing Tokens For Asynchronous Communication
    7. Summary
  10. About the Authors

Product information

  • Title: Cloud Native Data Security with OAuth
  • Author(s): Gary Archer, Judith Kahrer, Michał Trojanowski
  • Release date: April 2025
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098164881