OAuth Well Played – Mods and Combos for the Cloud Native API Security Game

A talk given by Curity's Judith Kahrer at the Nordic APIs 2024 Platform Summit.

Cloud native APIs are the product of orchestrated distributed microservices that can disappear and respawn at any time. The question is, how can one microservice trust the others in such a dynamic environment? How do I know that I’m talking with one of my microservices and not a malicious one? More importantly, how can I trust incoming requests and perform adequate authorization in a microservice to avoid security incidents? In this talk Judith loots documents of the OAuth 2.0 family of standards for useful patterns that can combine cloud native practices with OAuth. The goal is to craft a security architecture for APIs that utilizes common cloud native technologies like API gateways and workload identities for various extensions of the OAuth protocol to demonstrate how to implement zero-trust in a modern way.