Last-mile security protects the backend services that are proxied by API Services. The primary goal of last-mile security is to prevent so-called "end-run" attacks, where an app developer discovers the URL for a backend service and bypasses any API proxies to directly hit the backend URL.
Following are the primary options for setting up last-mile security:
- Client TLS/SSL
- Outbound authentication
- Node.js tls module
The primary mechanism for securing the last-mile is client TLS/SSL, which is also known as 'mutual authentication'.
Last-mile security can also be enforced by requiring the API proxy to present a credential to the backend service.
For example, you may wish to have an API proxy present an API key to your backend service. You could also have an API proxy obtain and present a OAuth client credentials access token.
API keys can be applied to outbound requests from API proxies to backend services. This assumes that the backend service is an API that is capable of issuing and validating API keys.
If you do set up an API proxy to present an API key on outbound requests, you must store the API key in a place where it can be retrieved by the API proxy at runtime. One location available for storing API keys is a key/value map. See Key Value Map Operations policy.
You can use the AssignMessage policy type to add the API key as an HTTP header, query parameter, or payload element to the outbound request. See Assign Message policy.
To avoid exposing API keys over network, always configure server-side TLS/SSL on your backend services for outbound transactions that use API keys
OAuth client credentials
OAuth client credentials can be used to add a layer of revocability to API keys. If your backend services support OAuth client credentials, you can configure an API proxy to present a client credentials access token for each request.
The API proxy must be configured to perform a callout to obtain the access token from your token endpoint. The API proxy is also required to cache the access token, to prevent it from obtaining a new access token for each call.
Your backend services must be capable of issuing and validating access tokens using the client credentials grant type for this to work.
Always configure server-side TLS/SSL on your backend services for transactions that use access tokens.
A number of approaches can be used to implement outbound client credentials.
A working outbound OAuth sample that uses client credentials is implemented in the Outbound OAuth sample on GitHub.
The GenerateSAMLAssertion policy type can be used to attach a SAML assertion to an outbound XML request message, from the API proxy to a backend service. This enables the backend service to perform authentication and authorization on requests received from API proxies.
If your API proxy target is a Node.js application, you can use the Node.js
tls module to create secure connections to backend services. You make outgoing requests with the
tls module the same way you would normally in Node.js. Basically, you need to add client-side keys and certificates (.pem files) to the resources/node directory and load them inside your script. For information on using the
tls module and its methods, see the Node.js tls module documentation. For more information, see Understanding Edge support for Node.js modules.
Help or comments?
- If something's not working: Ask the Apigee Community or see Apigee Support.
- If something's wrong with the docs: Send Docs Feedback
(Incorrect? Unclear? Broken link? Typo?)