Cloud Native Data Security with OAuth - Helion
ebook
Autor: Gary Archer, Judith Kahrer, Michal TrojanowskiISBN: 9781098164843
stron: 390, Format: ebook
Data wydania: 2025-03-06
Księgarnia: Helion
Cena książki: 169,14 zł (poprzednio: 208,81 zł)
Oszczędzasz: 19% (-39,67 zł)
With the growth of cloud native applications, developers increasingly rely on APIs to make everything work. But security often lags behind, making APIs an attractive target for bad actors looking to access valuable business data. OAuth, a powerful framework for API security, offers tools to protect sensitive business data and enforce dynamic access controls. But to harness its full potential, you need more than standards—you need strategies for adapting to evolving security demands.
Designed for developers, architects, and security professionals, this guide provides everything you need to secure APIs in the cloud native era—ensuring your business data stays protected. You'll learn how to combine OAuth's token-based model with cloud native platforms like Kubernetes to build a scalable, zero trust security architecture. With OAuth, you can go beyond simple allow/deny rules and create security policies that align with business needs, while Kubernetes provides best-in-class deployment patterns to keep systems secure and efficient.
- Understand why user identity must be part of your cloud native security stack
- Discover how to integrate user identity into APIs
- Learn to externalize security and secure data access using OAuth
- Uncover methods for running security components in a Kubernetes cluster
- Get the latest security best practices for client applications and APIs
Osoby które kupowały "Cloud Native Data Security with OAuth", wybierały także:
- Biologika Sukcesji Pokoleniowej. Sezon 3. Konflikty na terytorium 117,27 zł, (12,90 zł -89%)
- Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
- Podręcznik startupu. Budowa wielkiej firmy krok po kroku 92,14 zł, (12,90 zł -86%)
- Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
- Prawa ludzkiej natury 75,88 zł, (12,90 zł -83%)
Spis treści
Cloud Native Data Security with OAuth eBook -- spis treści
- Foreword
- Preface
- Why We Wrote This Book
- Who This Book Is For
- What You Will Learn
- Cloud Native Environments
- What This Book Is Not
- Using Code Examples
- Terminology
- This Books Structure
- Conventions Used in This Book
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
- I. Introducing Cloud Native OAuth
- 1. Why Do You Need OAuth?
- API-First Security
- What Is OAuth 2.0?
- Zero Trust Security
- APIs with Perimeter Security
- APIs with Infrastructure Security
- APIs with Token-Based Security
- Zero Trust for Clients
- Zero Trust for Users
- API Supporting Components
- Cloud Native Platforms
- Summary
- 2. OAuth 2.0 Distilled
- Roles
- The Abstract Flow
- The Access Token
- Client Capabilities
- Public and Confidential Clients
- The Code Flow
- A multistep approach
- Code flow HTTP messages
- Proof Key for Code Exchange
- The Device Flow
- The Client Credentials Flow
- The Refresh Token Flow
- Outdated Flows
- Password flow
- The implicit flow
- OpenID Connect
- The Hybrid Flow
- User Info
- OAuth Evolution
- Sessions and Lifecycle
- The Revoke Flow
- Terminating SSO
- Summary
- 3. Security Architecture
- What Is an API Security Architecture?
- Functions in the API Security Architecture
- Identity Management
- API Management
- Entitlement Management
- The Role of the Client
- The Role of the Access Token
- What Security Components Do You Need?
- The Role of the Authorization Server
- The Role of the API Gateway
- The Role of the Policy Engine
- API Responsibilities
- Client Responsibilities
- Operating Security Components
- Extending OAuth
- Summary
- 4. OAuth Data Design
- Authorization Server Data
- OAuth Configuration Settings
- Designing User Accounts
- Personal Data
- Business User Attributes
- API User Identities
- Identity Operations
- User Management APIs
- Multiregion
- Multitenancy
- User Migration Code Example
- Summary
- II. Securing APIs with Tokens
- 5. Secure API Development
- Unified API Security with JWT Access Tokens
- Validating JWT Access Tokens
- JSON Web Keys
- Rotating Token Signing Keys
- JWT Standard Claims
- JWT Validation Best Practices
- JWT Validation Code
- API Authorization Logic
- Use Scopes for Coarse-Grained Authorization
- Use Claims for Fine-Grained Authorization
- Design for Flexibility
- Handling Token Expiry in APIs
- Testing Zero Trust APIs
- API Code Example
- Summary
- 6. Access Token Design
- The Access Token Contract
- Publish the Contract
- Version the Contract
- Understanding Token Scope
- OpenID Connect Scopes
- High Privilege Scopes
- Understanding Token Claims
- What Constitutes a Good Claim?
- Relation of Claims to Scopes
- The Audience Claim
- Data Sources for Claims
- Obtaining the Users Consent
- Managing Access Tokens at Scale
- Scaling Scopes
- Scaling Claims
- Designing Token Sharing
- Token Exchange
- Embedding Tokens in Tokens
- API Integrations
- Tokens for Asynchronous Communication
- Summary
- The Access Token Contract
- 7. Secure Access Tokens
- Secure Access Token Requirements
- Access Token Formats
- JWT Access Tokens
- Encrypted JWT Access Tokens
- Opaque Access Tokens
- Wrapped Opaque Access Tokens
- Access Token Delivery
- Introspection
- The Phantom Token Pattern
- The Split Token Pattern
- Hardening Access Tokens
- Choose a JWT Signature Algorithm
- Use Proof of Possession
- Strengthen Browser Credentials
- Use Least-Privilege Access Tokens
- Limit Access Token Lifetimes
- Plan for Token Revocation
- Follow Secure Development Practices
- Summary
- 8. Proxies, Gateways, and Sidecars
- HTTP Proxies, Ingress, and Egress
- The API Gateway Role
- Exposing APIs in Kubernetes
- Configure Networking
- Deploy the API Gateway
- Use Ingress Resource to Expose APIs
- Use Gateway API Resources to Expose APIs
- Choose an Extensible Gateway
- Terminating Tokens
- Termination of Opaque Tokens
- Termination of Secure Cookies
- Termination of Sender-Constrained Tokens
- API Gateways and Zero Trust
- The Service Mesh Role
- API Gateway Extensibility Example
- Create a Cluster
- Deploy the API Gateway
- Deploy the Authorization Server
- Deploy the Example API
- Run an OAuth Client
- Use the API Gateway Plug-in
- Summary
- 9. Entitlements
- Access Control Models
- Role-Based Access Control
- Relationship-Based Access Control
- Attribute-Based Access Control
- The Principle of Least Privilege
- The Role of Token-Based Authorization
- Benefits of an Entitlement Management System
- Flexibility
- Auditability
- Security Agility
- Quality Assurance via Policy as Code
- Scalable Authorization
- Policy
- Policy Administration Point
- Policy Retrieval Point
- Policy Decision Point
- Policy Enforcement Point
- Policy Information Point
- Open Policy Agent
- Writing Policies in OPA
- Loading External Data
- Claims-Based Authorization
- Decision Results
- Auditing Authorization Decisions
- Policy Retrieval in OPA
- Example Deployment
- Summary
- Access Control Models
- III. Operating Cloud Native OAuth
- 10. Workload Identities
- Workload Identity Issuance
- Implementing Request Confidentiality
- Restricting Workload Access
- Hardening Credentials
- Using Platform-Issued JWTs as Credentials
- Using X.509 SVIDs as Credentials
- Hardening Bearer Tokens
- Limitations of Workload Identities
- Workload Identities Code Example
- Base Setup
- Using Workload Identities Transparently
- Using JWT Workload Identities
- Using X.509 Workload Identities
- Summary
- 11. Managing a Cloud Native Authorization Server
- Hosting
- Components
- Clustering
- Addressability
- Runtime workload URLs
- Admin workload URLs
- Internal URLs
- Deployment
- Build Process
- Environment Configuration
- Deployment Process
- Upgrades
- Data Operation
- User Account Updates
- Configuration Updates
- Reliability
- High Availability
- Fast Problem Resolution
- Security Auditing
- Summary
- Hosting
- IV. Securing API Clients
- 12. OAuth for Native Applications
- The Code Flow
- Implementing OAuth Clients
- OAuth for Desktop Applications
- OAuth for Mobile Applications
- Device Secure Storage
- Hardening Security
- Dynamic Client Registration
- Unique Keys Per Device
- Application Attestation
- Browserless User Authentication
- Code Examples
- Console Application
- Desktop Application
- Mobile Applications
- Summary
- 13. OAuth for Browser-Based Applications
- Web Application Basics
- Website Versus Web Application
- Web Application Architecture
- Browser-Based Applications
- Browser Security Threats
- Clickjacking
- Cross-Site Request Forgery
- Cross-Site Scripting
- Web Security Mechanisms
- Same-Origin Policy
- Content Security Policy
- Secure Cookie Settings
- Cross-Origin Resource Sharing
- Implementing OAuth Using JavaScript
- Obtaining Tokens
- Public Clients
- Silent Authentication
- Refreshing Tokens
- Refresh token rotation
- Sender-constrained refresh tokens
- Token Storage
- Web Storage API
- In-memory storage
- JavaScript cookies
- Secure token storage
- Implementing OAuth Using a Backend for Frontend
- The BFF OAuth Client
- The BFF API Router
- API-Driven Implementations
- The BFF API Interface
- Web Developer Experience
- Hardening OAuth Security
- Using Cookies in API Requests
- Deployment Choices
- Scaling Deployments
- Choosing a BFF Implementation
- Browser-Based Application Code Example
- OAuth Agent
- API Gateway Routes
- OAuth Proxy
- Browser-Based Application
- Summary
- Web Application Basics
- 14. User Authentication
- Modern Authentication Flows
- User Authentication Methods
- Passwords
- External Identity Providers
- One-Time Passwords
- Passwordless Authentication
- Identity Proofing
- Custom User Authentication
- User Authentication Techniques
- Multifactor Authentication
- Step-Up Authentication
- Single Sign-On
- Changing Authentication Methods
- Account Linking
- Authentication Actions
- Authentication Selection
- User Authentication Lifecycle
- Customization of User Forms
- User Onboarding
- Account Recovery
- Denying Access
- User Decommissioning
- Zero Trust User Authentication Example
- Summary
- Index