—Rate this article—
 

Last-mile security

Last-mile security protects the backend services that are proxied by API Services. The primary goal of last-mile security is to prevent so-called "end-run" attacks, where an app developer discovers the URL for a backend service and bypasses any API proxies to directly hit the backend URL.

Following are the primary options for setting up last-mile security:

  • Client SSL
  • Outbound authentication
  • Node.js tls module

Client SSL

The primary mechanism for securing the last-mile is client SSL, which is also known as 'mutual authentication'.

See Configuring SSL from Edge to the backend service.

Outbound authentication

Last-mile security can also be enforced by requiring the API proxy to present a credential to the backend service.

For example, you may wish to have an API proxy present an API key to your backend service. You could also have an API proxy obtain and present a OAuth client credentials access token.

API key

API keys can be applied to outbound requests from API proxies to backend services. This assumes that the backend service is an API that is capable of issuing and validating API keys.

If you do set up an API proxy to present an API key on outbound requests, you must store the API key in a place where it can be retrieved by the API proxy at runtime. One location available for storing API keys is a key/value map. See Key Value Map Operations policy.

You can use the AssignMessage policy type to add the API key as an HTTP header, query parameter, or payload element to the outbound request. See Assign Message policy.

To avoid exposing API keys over network, always configure server-side SSL on your backend services for outbound transactions that use API keys

OAuth client credentials

OAuth client credentials can be used to add a layer of revocability to API keys. If your backend services support OAuth client credentials, you can configure an API proxy to present a client credentials access token for each request.

The API proxy must be configured to perform a callout to obtain the access token from your token endpoint. The API proxy is also required to cache the access token, to prevent it from obtaining a new access token for each call.

Your backend services must be capable of issuing and validating access tokens using the client credentials grant type for this to work.

Always configure server-side SSL on your backend services for transactions that use access tokens.

A number of approaches can be used to implement outbound client credentials.

A working outbound OAuth sample that uses client credentials is implemented in the Outbound OAuth sample on GitHub.

You can modify this sample to call your token endpoint to obtain an access token. This sample uses JavaScript to attach the token to the outbound request as an HTTP Authorization header. You could also use AssignMessage for this purpose.

SAML

The GenerateSAMLAssertion policy type can be used to attach a SAML assertion to an outbound XML request message, from the API proxy to a backend service. This enables the backend service to perform authentication and authorization on requests received from API proxies.

See SAML Assertion policies.

Node.js

If your API proxy target is a Node.js application, you can use the Node.js tls module to create secure connections to backend services. You make outgoing requests with the tls module the same way you would normally in Node.js. Basically, you need to add client-side keys and certificates (.pem files) to the resources/node directory and load them inside your script. For information on using the tls module and its methods, see the Node.js tls module documentation. For more information, see Understanding Edge support for Node.js modules.

Get help

For help, see Apigee Customer Support.

Help or comments?

  • Something's not working: See Apigee Support
  • Something's wrong with the docs: Click Send Feedback in the lower right.
    (Incorrect? Unclear? Broken link? Typo?)