Protecting API Access with BIG-IP using OAuth
As more organizations use APIs in their systems, they've become targets for the not-so-good-doers so API Security is something you need to take seriously. Most APIs today use the HTTP protocol so organizations should protect them as they would ordinary web properties.
Starting in v13, BIG-IP APM is able to act as an OAuth Client, OAuth Resource Server and OAuth Authorization Server. In this example, we will show how to use BIG-IP APM to act as an OAuth Resource Server protecting the API.
In our environment, we’ve published an API (api.f5se.com) and we’re trying to get a list of departments in the HR database. The API is not natively protected and we want APM to enable OAuth protection to this API.
First, let’s try an unauthenticated request.
You can see we get the 401 Unauthorized response which is coming from the BIG-IP. In this instance we’re only sending 3 headers, Connection (close), Content Length (0) and WWW Authenticate (Bearer), indicating to the client that it wants Bearer Token authentication.
So we’ll get that authorization and a new access token.
Here the Getpostman.com (Postman toolchain for API developers) is preconfigured to get a new access token from the OAuth authorization server, which is a BIG-IP.
We will request the OAuth token and will need to authenticate to the BIG-IP.
After that, we get an authorization request. In this case, BIG-IP is acting as an Authorization server and is indicating to the resource owner (us) that there is a HR API application that wants to use certain information (about us) that the authorization server is going to provide.
In this case, it is telling us that the resource server wants to get scope api-email.
We’ll click Authorize and now we have our auth token and is saved in the Postman client.
Within the token properties we see that it expires in 300 seconds, it is a Bearer token and the scope is api-email and we get a refresh token as well.
Now we can add this token to the header and try to make a request again. And this time, we get a much better response.
We get a 200 OK, along with the headers of the application server. We’ll click on the Body tab within Postman, we’ll see the XML that the API has returned in response to the query for the list of departments that are available. There were no cookies being returned by the server if you were wondering about that tab. In the Headers tab we see the Authorization header that was being sent and the content of the Bearer token.
A simple way to easily protect your APIs leveraging OAuth 2.0 Resource Server capabilities in BIG-IP.
Special thanks to Michael Koyfman for the basis of the content and check out his full demo here.
ps
Related:
- Arno_Kobarg_623Nimbostratus
Great write up... Is there any information on setting up the F5 as the authorisation server ?
- Cory_BlankenshiAltostratus
Thanks for the write up. Question: how do you actually configure OAuth in APM to protect the API calls? The documentation does a great job of describing what OAuth is and what it can do on the F5. Translating that information into a solution to protect an API is what I was hoping for.
Also, that YouTube video is pretty much a waste of 4:34 minutes. It simply shows that OAuth works. It says nothing about how to do it. I mean, I know that OAuth works. I don't need to watch a Postman demo that proves it. :|