Protecting API Access with BIG-IP using OAuth

As more organizations use APIs in their systems, they've become targets for the not-so-good-doers so API Security is something you need to take seriously. Most APIs today use the HTTP protocol so organizations should protect them as they would ordinary web properties.

Starting in v13, BIG-IP APM is able to act as an OAuth Client, OAuth Resource Server and OAuth Authorization Server. In this example, we will show how to use BIG-IP APM to act as an OAuth Resource Server protecting the API.

In our environment, we’ve published an API (api.f5se.com) and we’re trying to get a list of departments in the HR database. The API is not natively protected and we want APM to enable OAuth protection to this API.

First, let’s try an unauthenticated request.

You can see we get the 401 Unauthorized response which is coming from the BIG-IP. In this instance we’re only sending 3 headers, Connection (close), Content Length (0) and WWW Authenticate (Bearer), indicating to the client that it wants Bearer Token authentication.

So we’ll get that authorization and a new access token.

Here the Getpostman.com (Postman toolchain for API developers) is preconfigured to get a new access token from the OAuth authorization server, which is a BIG-IP. 

We will request the OAuth token and will need to authenticate to the BIG-IP.

After that, we get an authorization request. In this case, BIG-IP is acting as an Authorization server and is indicating to the resource owner (us) that there is a HR API application that wants to use certain information (about us) that the authorization server is going to provide. 

In this case, it is telling us that the resource server wants to get scope api-email.

We’ll click Authorize and now we have our auth token and is saved in the Postman client.

Within the token properties we see that it expires in 300 seconds, it is a Bearer token and the scope is api-email and we get a refresh token as well.

Now we can add this token to the header and try to make a request again. And this time, we get a much better response.

We get a 200 OK, along with the headers of the application server. We’ll click on the Body tab within Postman, we’ll see the XML that the API has returned in response to the query for the list of departments that are available. There were no cookies being returned by the server if you were wondering about that tab. In the Headers tab we see the Authorization header that was being sent and the content of the Bearer token.

A simple way to easily protect your APIs leveraging OAuth 2.0 Resource Server capabilities in BIG-IP.

Special thanks to Michael Koyfman for the basis of the content and check out his full demo here.

ps

Related:

• Web API – Security Review – How to Hack an API and Get Away with It
• API Security Testing – How to Hack an API and Get Away with It
• API Reference - DevCentral Wiki