Last-mile security protects the backend services that are proxied by API Services. The primary goal of last-mile security is to prevent so-called "end-run" attacks, where an app developer discovers the URL for a backend service and bypasses any API proxies to directly hit the backend URL.
Following are the primary options for setting up last-mile security:
- Client SSL
- Outbound authentication
The primary mechanism for securing the last-mile is client SSL, which is also known as 'mutual authentication'.
Last-mile security can also be enforced by requiring the API proxy to present a credential to the backend service.
For example, you may wish to have an API proxy present an API key to your backend service. You could also have an API proxy obtain and present a OAuth client credentials access token.
API keys can be applied to outbound requests from API proxies to backend services. This assumes that the backend service is an API that is capable of issuing and validating API keys.
If you do set up an API proxy to present an API key on outbound requests, you must store the API key in a place where it can be retrieved by the API proxy at runtime. One location available for storing API keys is a key/value map. See Persist data using KeyValueMap.
You can use the AssignMessage policy type to add the API key as an HTTP header, query parameter, or payload element to the outbound request. See Generate or modify messages using AssignMessage.
To avoid exposing API keys over network, always configure server-side SSL on your backend services for outbound transactions that use API keys
OAuth client credentials
OAuth client credentials can be used to add a layer of revocability to API keys. If your backend services support OAuth client credentials, you can configure an API proxy to present a client credentials access token for each request.
The API proxy must be configured to perform a callout to obtain the access token from your token endpoint. The API proxy is also required to cache the access token, to prevent it from obtaining a new access token for each call.
Your backend services must be capable of issuing and validating access tokens using the client credentials grant type for this to work.
Always configure server-side SSL on your backend services for transactions that use access tokens.
A number of approaches can be used to implement outbound client credentials.
A working outbound OAuth sample that uses client credentials is implemented in the Outbound OAuth sample on GitHub.
The GenerateSAMLAssertion policy type can be used to attach a SAML assertion to an outbound XML request message, from the API proxy to a backend service. This enables the backend service to perform authentication and authorization on requests received from API proxies.
For help, see Apigee Customer Support.