Рет қаралды 1,295
Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon North America in Salt Lake City from November 12 - 15, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at kubecon.io
OAuth2 Token Exchange for Microservice API Security - Ahmet Soormally & Letz Yaara, Tyk
APIs need a way to authenticate, authorize and propagate identity between services. Load Balancers, API Gateways, ingress and chained microservice calls make propagating identity and authorization in a secure manner significantly more complex. In this session, we will dive into typical OAuth2.0 flows with practical examples using Keycloak. We will then illustrate some of the challenges you will face applying OAuth2 in a microservice environment, alongside the typical workarounds or hacks that are seen in the wild. We will discuss advantages and drawbacks of each approach, and most importantly highlight potential vulnerabilities. Finally, we will present a relatively new standard known as the OAuth2 Token Exchange RFC8693 as a recommended approach to authorization and propagating identity using Keycloak to demonstrate. Key Points: - OAuth 2.0 Essentials - Live Demo: with shortcomings applying OAuth2 in a microservice environment - Token Exchange RFC8693 Importance