API Gateway Authorization Capabilities
Posted: Mon Feb 10, 2025 4:57 am
Authorization for API
Authorization is a more complex topic, as it is often business and domain specific. Even though there are common types of authorization systems, such as role-based access control (RBAC), the roles and what each role can do will be specific to your system. However, there are several capabilities to look for in an API gateway that can be considered authorization, and you may want to be able to integrate this with your systems, just like with authentication.
If authorization is an attempt to answer the question "What are you allowed to do?", then there are some permissions on the edge of your network that your gateway must be able to verify:
Are you even allowed to make this request? Your bolivia mobile database gateway should be able to immediately return a 403 or similar "Not Authorized" response if a user tries to make a request they shouldn't be making.
How often are you allowed to make requests? Rate limiting is a form of permission, and is within the purview of the API gateway. Ideally, you should be able to configure the gateway to rate limit globally, by IP address and user ID.
Where should you allow requests to be made? The systems that need to process your requests may be part of an authorization system. For example, in a multi-region architecture, you may require that clients in one region can only make requests to servers in that region. Your API gateway should be able to perform dynamic routing to support this.
Working with OAuth2, which is often where you use OIDC. Where OIDC verifies your identity, the OAuth2 protocol provides authorization for access to the same systems.
Integration
The example of a multi-region architecture is a piece of a larger pattern. Your API gateway needs to be able to send requests to an authorization service and receive back instructions on what to do with them. Should they be forwarded? Redirected? Rejected? Because authorization is typically done in a proprietary way, and you want to protect your network at the edge, your edge needs to be able to integrate with your proprietary systems.
Authorization is a more complex topic, as it is often business and domain specific. Even though there are common types of authorization systems, such as role-based access control (RBAC), the roles and what each role can do will be specific to your system. However, there are several capabilities to look for in an API gateway that can be considered authorization, and you may want to be able to integrate this with your systems, just like with authentication.
If authorization is an attempt to answer the question "What are you allowed to do?", then there are some permissions on the edge of your network that your gateway must be able to verify:
Are you even allowed to make this request? Your bolivia mobile database gateway should be able to immediately return a 403 or similar "Not Authorized" response if a user tries to make a request they shouldn't be making.
How often are you allowed to make requests? Rate limiting is a form of permission, and is within the purview of the API gateway. Ideally, you should be able to configure the gateway to rate limit globally, by IP address and user ID.
Where should you allow requests to be made? The systems that need to process your requests may be part of an authorization system. For example, in a multi-region architecture, you may require that clients in one region can only make requests to servers in that region. Your API gateway should be able to perform dynamic routing to support this.
Working with OAuth2, which is often where you use OIDC. Where OIDC verifies your identity, the OAuth2 protocol provides authorization for access to the same systems.
Integration
The example of a multi-region architecture is a piece of a larger pattern. Your API gateway needs to be able to send requests to an authorization service and receive back instructions on what to do with them. Should they be forwarded? Redirected? Rejected? Because authorization is typically done in a proprietary way, and you want to protect your network at the edge, your edge needs to be able to integrate with your proprietary systems.