tadayosi commented on a change in pull request #715:
URL: https://github.com/apache/camel-website/pull/715#discussion_r768275944
##########
File path: content/blog/2021/12/api-management-infra/index.md
##########
@@ -0,0 +1,224 @@
+---
+title: "A high-security API management infrastructure using Apache Camel"
+date: 2021-12-13
+authors: [Yang-Xie-OSS]
+categories: ["Usecases"]
+preview: "How a high-security API management infrastructure is implemented
using Camel and Keycloak"
+---
+
+I'm an engineer working at the OSS solution center of Hitachi, Ltd. Hitachi,
Ltd. is a company that provides IT services & platforms in Japan and other
countries. In our organization, OSS solution center, we are working on
providing the IT services with the OSS. In my case, I'm working on Keycloak,
3scale and Camel, providing the technical support and considering the use cases
of them. And I'm also an open source contributor for Keycloak.
+
+## API management infrastructure
+
+When being used as an API Gateway, Apache Camel (hereinafter called "Camel")
can use its various functions like protocol conversion and mash-up to support
complex requirements flexibly. By adding Keycloak as an OAuth 2.0 authorization
server, we can obtain an API management infrastructure which can also perform
API authentication.
+
+### What is Keycloak?
+
+Keycloak is an identity and access management OSS. As an OAuth 2.0
authorization server, Keycloak supports OAuth 2.0 and a part of related
standards, that will play a big role in a later chapter.
+
+### Architecture Overview
+
+As shown in the picture below, the API management infrastructure can perform
reverse proxy, protocol conversion, data conversion, mash-up, flow control, API
documentation publishing and metrics. Besides, it also can perform simple API
authorization by token issuance & management that is provided by Keycloak.
+
+{{< image "API-management-infrastructure.png" "API management infrastructure"
>}}
+
+## Drawbacks of security
+
+Although the existing API management infrastructure has taken a security
measure as token issuance & management, there are also three drawbacks of its
security:
+
+1. Inadequate token validation.
+1. No API access management for each API.
+1. No prevention for token stealing.
+
+All drawbacks will cause API abuse. I'll explain them in detail in the
following.
+
+### Drawback 1: Inadequate token validation
+
+The existing API management infrastructure only does minimal validations such
as checking signature and expiration time after receiving an access token.
Because an access token can be invalidated before its expiration time (as an
"inactive" access token), only doing the minimal validations may incorrectly
determine an inactive access token as valid. Attackers can use such inactive
access tokens to access the API.
+
+### Drawback2: No access management for each API
+
+The existing API management infrastructure have no access management for each
API. As a result, anyone can access an arbitrary API with full authority. It
will lead to many security issues, as well as a large risk for data breaches.
+
+### Drawback3: No prevention for token stealing
+
+The existing API management infrastructure have no prevention for access token
stealing. Attackers can use a stolen access token to access the API.
+
+## Security enhancement with Keycloak
+
+For overcoming the security drawbacks, we can use three mechanisms defined in
OAuth 2.0 and its related standards. They're token introspection, scope check
and OAuth MTLS. All of them are supported by Keycloak. I'll explain them in
detail in the following, and show you how to implement them by developing Camel
applications with the support of Keycloak.
+
+### Token introspection
+
+{{< image "Token-introspection.png" "Token introspection" >}}
+
+Token introspection is a mechanism for validating access token by requesting
an authorization server. It is defined in
[RFC7662](https://datatracker.ietf.org/doc/html/rfc7662), a related standard of
OAuth 2.0.
+
+In token introspection, API gateway sends an introspection request that
includes the access token to validate to the authorization server.
Introspection request uses POST method and "application/x-www-form-urlencoded"
content type, and includes the access token in the request body as a parameter
called token.
+
+The following is an example introspection request.
+
+```
+ POST /introspect HTTP/1.1
+ Host: server.example.com
+ Accept: application/json
+ Content-Type: application/x-www-form-urlencoded
+
+ token=2YotnFZFEjr1zCsicMWpAA
+```
+Usually, the introspection response includes a set of information about the
access token if it is active.
+
+```json
+{
+ "active": true,
+ "client_id": "l238j323ds-23ij4",
+ "username": "jdoe",
+ "scope": "read write dolphin",
+ "sub": "Z5O3upPC88QrAjx00dis",
+ "aud": "https://protected.example.net/resource";,
+ "iss": "https://server.example.com/";,
+ "exp": 1419356238,
+ "iat": 1419350238,
+ "extension_field": "twenty-seven"
+}
+```
+If the access token is not active, the following response is returned instead.
+
+```json
+{
+ "active": false
+}
+```
+
+#### Support in Keycloak
+
+For supporting token introspection, Keycloak provides an introspection
endpoint to receive the introspection request.
+
+After receiving the introspection request, Keycloak inspects the access token
with several steps including validate the session linked with the access token.
+
+Session is a data structure used in Keycloak for storing user�fs login
information. Access token is generated from session and every access token is
linked with one session. Access token and the linked session have the same
value of their validities. Therefore, if the linked session is validated to
invalid, the access token also will be validated to invalid even if its
expiration time hasn�ft been reached.
Review comment:
Non-ascii characters here: `userfs`, `hasnft`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
