APIs for Authentication: A journey
Application Program Interface (API) key authentication is a technique that overcomes the hurdles of using shared credentials by using a unique key for each user. The key is usually in the form of a long series of letters and numbers that are different from the account login password. The owner provides the client with the key that helps the client access a website. When a client provides the said API key, the server allows the client to access data. The server has the power to limit administrative functions to any client for example in changing passwords, or deletion of accounts. API keys are sometimes used so that account passwords do not have to be given again and again. The APIs offer flexibility to limit control while also protecting user passwords.
API keys work a lot of different ways as they were conceived by multiple companies and they all have a different way of authentication. There are some API keys like Basic Auth that uses an established standard along with some strict rules. However, over time some familiar approaches are being used. These include putting the key in the Authorization header accompanying the username and password, another one just demands to add the key to the URL. Sometimes keys are buried in the request body together with the data. Wherever the key is added the outcome is the same, the server provides access to the user.
There are different security protocols being used like OAuth1.0a, Basic API authentication with TLS and OAuth2.0. Basic Auth is the simplest because it only uses the standard framework or language library. Because it is the simplest hence, it offers the least security and provides no advanced options, you are simply providing a username and password that is Base64 encoded.
OAuth1.0a has, on the other hand, the most secure security protocol as it uses a cryptographic signature, combined with a token secret, none and other request based information. As the token is never directly passed across the wire so there is no possibility of anyone seeing a password in transit, this provides an edge to OAuth1.0a. On the other hand, this level of security comes with a lot of complexity. You have to use hashing algorithms with strict steps, but now this problem has been overcome as every other programming language can do it for you.
Repose is another API authentication platform that provides open source API validation, HTTP request logging, rate limiting and much more. It employs a RESTful middleware platform that is easily scalable and extensible. OAuth2.0 and Auth0 are both open sources API authenticators. Both have a completely different approach from OAuth1.0a. The encryptions are handled by TLS (previously called SSL) rather than using cryptographic algorithms. There are not that many OAuth2.0 libraries so this provides a disadvantage to users. OAuth2.0 is used by big names like Google and Twitter.
Auth0 is a platform that allows authentication of apps and supports just about all identity providers on any device or cloud. It uses a secure HTTPs API key to integrating with other tools giving it a seamless experience. It provides the clients with the ability to authenticate with credentials that they are comfortable with.
Many management platforms for API are available, each platform bringing something unique on the table. Kong is an API manager that offers a range of plugins to improve security, better authentication services and management of inbound and outbound traffic. Kong acts as a gateway between the client and the API, providing different layers of rate limiting, logging, and authentication.
3Scale is another manager that separates traffic control and management layers, as a result it produces superior and unsurpassed scalability. It integrates many gateway deployments with Amazon, Heroku, and Red HatOpenshift, which are free to use. Additionally, plugins can also be added to libraries built in several different languages and they design custom API management protocols for organizations as well. Microsoft Azure also provides a host of options for users so that little effort is done on the client’s part and most of the work is accomplished by managers. Azure uses a professional front end and developer portal that make it more user-friendly. It offers the greatest number of options for APIs and thus attracts more clients.
Del Boomi can be thought of as a cloud middleware, plumbing between applications that reside on cloud or premise. They can efficiently manage data for social networks and other uses. Boomi communicates with data across different or common domains, giving it an added advantage. MuleSoft is another API manager that makes use of Anypoint platform, thus it re-architects the SOA infrastructure covering legacy systems, proprietary platforms, and custom integration. This results in a strong and agile business solution for their clients.
AWS cognito is another management system offered by Amazon web services. They offer an adaptive multi-layer design that includes products which ensure availability and resilience. AWS cognito is built with security as its key feature. It can be easily deployed on any platform, using lock library or custom build implementation that can be chosen from more than 50 integrations. It enables clients to authorize users through an external identity provider that assigns temporary security credentials for users to access your website/app. It employs external identity providers that support OpenID, SAML, and the option to integrate your own identity provider.
Recently, API has found its applications in health-related fields. A vast majority of healthcare providers and other companies in the healthcare industry are making use of the web and mobile services. They provide vital information to patients and help them share information with other prescribers. Medical APIs will also help with the integration between partner providers, patient support services, insurance companies and government agencies. But are these API’s HIPPA compliant is a question many users have. Yes, there are many providers that meet the challenge of conforming to client demands while also ensuring the security of medical data.
Apigee Edge, another platform enhances digital value chain from the back end for customers who engage an app. It is HIPPA (Health Insurance Portability and Accountability Act) and PCI compliant. Apigee maintains management compliance by a number of features that include, encrypting and masking information, protecting traffic and managing and securing all data.
For healthcare providers, there are other API managers that provide HIPPA compliance like TrueVault. TrueVault acts as an interface between internal data and external applications. For instance, if a diagnostic laboratory wants to provide online viewing of test results, by making use of TrueVault they can allow approved third parties to access that information without the use of custom APIs or hooks. Hence, it provides a secure service that not only saves time but delivers information to the patients via mobile and tablet interfaces.
Still, there are many challenges that API managers face in making optimized solutions for the healthcare sector. Lack of access to effective tools required for testing and monitoring these interfaces are a serious obstacle for the developers. Furthermore, the developers lack insight and feedbacks in medical APIs which is a critical factor in developing elaborate and engaging APIs that will be widely adopted by the medical field.