11 Securing service-to-service APIs

This chapter covers

Authenticating services with API keys and JWTs
Using OAuth2 for authorizing service-to-service API calls
TLS client certificate authentication and mutual TLS
Credential and key management for services
Making service calls in response to user requests

11.1 API keys and JWT bearer authentication

11.2 The OAuth2 client credentials grant

11.2.1 Service accounts

11.3 The JWT bearer grant for OAuth2

11.3.1 Client authentication

11.3.2 Service account authentication

11.4 Mutual TLS authentication

11.4.1 How TLS certificate authentication works

11.4.2 Client certificate authentication

11.4.3 Verifying client identity

11.4.4 Using a service mesh

11.4.5 Mutual TLS with OAuth2

11.4.6 Certificate-bound access tokens

11.5 Managing service credentials

11.5.1 Kubernetes secrets

11.5.2 Key and secret management services

11.5.3 Avoiding long-lived secrets on disk

11.5.4 Key derivation

11.6 Service API calls in response to user requests

11.6.1 The phantom token pattern

11.6.2 OAuth2 token exchange

11.7 Summary

sitemap

@font-face { font-family: 'livebook'; src:url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.eot?1.9.0'); src:url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.eot?1.9.0') format('embedded-opentype'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.woff?1.9.0') format('woff'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.ttf?1.9.0') format('truetype'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.svg?1.9.0') format('svg'); font-weight: normal; font-style: normal; }