APIs are a critical infrastructure component and help to drive the modern digital economy. If your organization is using APIs, you can’t afford for them to go down. If your APIs are attacked successfully, it can lead to data loss, frustrated customers, and hits to your revenue and reputation. Strong authentication (Who is the client or user?) and authorization (What can the client or user do?) practices are essential to ensuring your APIs are secure.
In this blog post, I’ll cover oAuth2.0, which has become the de facto standard for authenticating APIs and users in modern hybrid multi-cloud architectures (single page apps, progressive web apps, mobile clients, and microservices). We’ll also look at how you can leverage the Citrix API authentication and authorization solution to protect your APIs and simplify your app deployment.
What Is oAuth2.0?
oAuth2.0 provides an interoperable framework to convey authorization information. It uses short-lived tokens — JSON Web Tokens (JWT) or opaque tokens — with limited rights as a means to provide delegated access control.
A valid token indicates that the client (user) has been authenticated and any requested permissions (claims) are present in the token, the permissions may be used for authorization policy decisions. Clients include the token in the requests using the Authorization header with “Bearer” type, like this:
"Authorization: Bearer <token>"
Other commonly used authentication methods like basic authentication and API keys are less secure because of the risk of exposure of credentials (username, password or API keys); mutual TLS, often used in service-to-service scenarios, is more complex to deploy. oAuth2.0 provides a more robust and scalable solution by decoupling authentication and authorization. It eliminates issues around credential sharing by giving users more control over their data; supports a variety of devices; and is extensible and can be developed upon.
Citrix API Gateway: Authentication and Authorization
Citrix ADC is the foundation of the Citrix API gateway solution and serves as the data plane (run-time proxy), with Citrix Application Delivery Management (ADM) serving as the management plane. (You can use Kubernetes as the controller in a cloud-native environment.)
Citrix ADC provides comprehensive authentication and authorization features and supports various authentication protocols, including oAuth2.0. You can create authentication and authorization policies for fine-grain access control to your apps’ web and API resources.
With the Citrix API gateway solution, you don’t have to deal with implementing different authentication protocols for your app. It’s deployed in front of your app and handles authentication and authorization.
A Traditional HMC Deployment
Citrix ADM service provides the control/management plane for the API gateway solution in on-prem and cloud deployments. You can carry out your configuration workflows using the intuitive UI or with APIs.
To configure an oAuth policy to validate JWT tokens using the Citrix ADM UI, first navigate to Applications → API Gateway → Policy.
Create a policy by selecting a deployment and upstream. Choose the ‘oAuth’ policy type and enter your details, as shown below.
The JWKS URI is the URL where you’ll find the signature “keys” for the token issuer; these are fetched and used to validate tokens. The Issuer and Audience should match the values present in the token.
Citrix ADC can enhance your security posture because it supports the best practices for JWT validation outlined in RFC8725, including validation of issuer and audience. You can also limit the signature algorithms to asymmetric variants.
If your use case requires you to validate “opaque” tokens, the introspection URL needs to be configured along the with client ID and secret. The URL is used to reach out to the authorization server for token validation. The API gateway uses the client ID and secret to identify itself to the authorization server.
Please note, Citrix ADC uses a positive security model, so when you configure an auth policy for some API resources, you’ll configure the “No Auth” policy for the remaining API resources to skip authentication. Otherwise, access will be denied with a 401 error message.
Citrix ADC supports authorization policies, too. If you want to verify access privileges to a resource, you generally check the claims associated with the token using authorization policies. The policies can verify whether the required claims are present in the token received with an API request.
In the Citrix ADM service, navigate to Applications → API Gateway → Policy.
Create the policy by selecting a deployment and upstream. Choose the “Authorization” policy type and enter the required claims and values expected for the selected resource endpoints. You should save any claims that you want to use here as part of your authentication configuration.
Please note, if the API resources have authentication policies, you’ll need to create authorization policies also for those API resources. Otherwise, you’ll get a 403 error message. If you do not need authorization checks, you can create an authorization policy with empty claims.
Deploying in Kubernetes Environment
Apps are usually deployed as microservices in a Kubernetes environment. The configuration is applied using the Kubernetes APIs or a command line utility like ‘kubectl’ and config files. Citrix ADC provides custom resource definitions (CRDs) for an app-specific configuration.
Authentication and authorization policies are configured using the Auth CRD, which comes with the Citrix Ingress Controller. Typically, users apply the CRD spec, create one or more instances with values required to configure the desired authentication and authorization policies, then apply those. The following yaml file shows the use of the oAuth JWT token validation setup:
If you save the config as auth-example.yaml file and you already have a Citrix Ingress Controller running in your cluster, you can take these steps to create the auth policies:
# kubectl create -f auth-crd.yaml
customresourcedefinition.apiextensions.k8s.io/authpolicies.citrix.com created
# kubectl create -f auth-example.yamlAnalytics and Observability
Citrix ADM has a breadth of analytics features to support observability, performance, and security monitoring. For authentication, it provides the number of authentication requests, successes, and failures, as well as reason for failures both at the API level and for each resource individually.
Citrix ADC is also integrated with open source tools like elastic search, Kibana, Prometheus, and Grafana, and you can use these to build custom reports.
Conclusion
There are several methods for API authentication and authorization, but oAuth2.0 is the most popular, scalable and secure. Citrix API gateway supports oAuth2.0 in traditional on-prem and cloud deployments, as well as in Kubernetes deployments.
Learn more about API gateway policy creation using Citrix ADM service and the Citrix Ingress Controller Auth CRD.
