Using OAuth, OIDC, and OPA for fine-grained authorization in microservices and APIs

OAuth and OpenID Connect (OIDC) are relatively mature and well-adopted standards. These work well for authentication in general and user authentication in particular. The evolution of securing access to APIs has moved from using Basic Authentication and static API keys that are easy to lose track of and difficult to manage, all the way to a full token-based architecture leveraging centralized trust using claims. Although it’s certainly possible to leverage this model to authorize what’s allowed, a more powerful, scalable, and flexible approach is to integrate with a fine-grained externalized authorization engine such as the Open Policy Agent (OPA).

In this webinar, experts from Styra and Curity will show:

• How the Authorization Server (OAuth/OIDC) takes care of authentication and issues access tokens.
• Tokens are passed on and consumed by the authorization engine (OPA).
• How scopes and claims of the access tokens can be used for access control decisions when the authorization policy is evaluated.

---

About Styra

Styra enables enterprises to define, enforce and monitor policy across their cloud-native environments. With a combination of open source (Open Policy Agent) and commercial solutions (Declarative Authorization Service), Styra provides security, operations and compliance guardrails to protect applications, as well as the infrastructure they run on. Styra policy-as-code solutions lets developers, DevOps and security teams mitigate risks, reduce human error and accelerate application development.

About Curity

Curity is the leading supplier of API-driven identity management, providing unified security for digital services. Curity Identity Server is the world’s most powerful OAuth and OpenID Connect Server; it is used for logging in and securing millions of users’ access to web and mobile apps over APIs and microservices. Curity Identity Server is built upon open standards and designed for development and operations.