Authentication
Authentication is one of the key components of any API Gateway. In essence, it authenticates that a particular consumer has permission to access the API, using a predefined set of credentials. Generally speaking, the aim of API authentication is to deny access to consumers who fail the authentication test.
Dynalight supports different plugins to enable different methods of API gateway authentication. You can even combine multiple methods using AND and OR logic, allowing you to establish more complex authentication procedures that only allow access in very specific circumstances.
What is an API Gateway? In essence, it authenticates that a particular consumer has permission to access the API, using a predefined set of credentials. There are special cases — for example, the option to allow anonymous authentication — but generally speaking, the aim of API authentication is to deny access to consumers who fail the authentication test.
For external APIs, including human-facing and IoT APIs, it makes good sense to authenticate the endpoint before allowing it to transmit data via the API. This protects against mistaken and malicious submissions of data, helps to manage the total amount of data transmitted and provides a layer of security so that you can implement access control, including the option to cut off access when a subscription expires.
Authorization
Authorization is the first line of defence for any system. It helps protect data and resources from unauthorized access. Dynalight uses the Oauth2.0 method to provide authentication to the users. Oauth2.0 is generally accepted as the industry standard. The user can generate the Oauth2 credentials, which comprises of a client_id and client_secret. Using these, the user can generate an access token to utilize the services and routes within the Dynalight. A given access token is valid for a duration of 1 hour, after which the user must request a refresh token using the expired access token. A user can create several Oauth2.0 credentials for different services,routes and applications. The credentials can be managed by the users using our selfservice Developer’s portal. The credentials can be deleted after checking the utility of those credentials in the automated processes.
Dynalight has a clear separation between the routes and services configured on the API gateway management system. On the services, we can tag a service either as a basic service or as an advanced service. Basic services can be accessed by all the valid users using Oauth2.0 credentials. Advanced services are only granted by the API Managers, which can include confidential or high-profile information like pricing, launch events, etc. A user can be classified as either an Admin or a normal user. Only an Admin user can request permission for the Advanced services to API Managers by sending a clear explanation on the purpose/use-cases of utilizing the advanced services. A normal user will not be able to request the routes of the advanced services.
