OAuth Toolkit May Help Secure APIs

When programming a web application, security is often a prime concern. If you've read my previous articles, you've often seen me comment on how secure an API is, as many of them are pretty secure, but many of them are not. When working on a cool application, often security is something you don't really want to spend that much time thinking about, which is why Layer 7 recently released an OAuth toolkit.

I recently had a talk with Layer 7's CTO, Scott Morrison, about the company's new OAuth toolkit, and what the company does in general. Layer 7 is mainly in the business of securing your APIs so you don't have to. Their OAuth Toolkit is an API made to manage your use of OAuth within your webapp, making sure that it works well and is up to the current standards. Here's a bit from the company's press release:

Real-world implementations of OAuth have proved to be varied, especially implementations based on the draft specifications of OAuth 2.0, which change frequently in concert with ongoing draft updates. As the OAuth security standard evolves, enterprises require increased flexibility for OAuth implementations with an eye to adapting their support over time.

“The Layer 7 OAuth Toolkit is the first solution of its kind that enables enterprises to control policy and identity aspects of many different OAuth token operations, a capability that is particularly important as enterprises increasingly use OAuth to authorize access to APIs in cloud settings,” said Phil Walston, vice president of products at Layer 7 Technologies. “By allowing enterprises to seamlessly manage their OAuth implementations as the standard evolves, the toolkit simplifies operations while providing rigorous security and control.”

The API supports Integration of SAML with OAuth, bridging the two technologies and allowing webapps using the API to intermix them. This can lead to more secure implementations, as well as allowing more data to be exchanged in a secure manner than simply Authentication information. For example, this can help securely transmit tokens used in multiple factor authentication, such as using SecurID along with OAuth.

Really, almost any webapp that wants to be secure can make use of these features. Layer 7 technology has been used for some very high profile sites, such as SalesForce.com and major telephone companies. If you want your API to be more secure, looking into Layer 7 might be a better idea than implementing it yourself. It isn't free, but if you are interested, you can request a 15 day free trial.

Layer 7's competitors for general services include Mashery, Apigee and 3scale.

Be sure to read the next Security article: 134 Security APIs: Google, Janrain and Windows Live