Advanced API Security: OAuth 2.0 and Beyond, Second Edition

  • 6h 22m
  • Prabath Siriwardena
  • Apress
  • 2020

Prepare for the next wave of challenges in enterprise security. Learn to better protect, monitor, and manage your public and private APIs.

Enterprise APIs have become the common way of exposing business functions to the outside world. Exposing functionality is convenient, but of course comes with a risk of exploitation. This book teaches you about TLS Token Binding, User Managed Access (UMA) 2.0, Cross Origin Resource Sharing (CORS), Incremental Authorization, Proof Key for Code Exchange (PKCE), and Token Exchange. Benefit from lessons learned from analyzing multiple attacks that have taken place by exploiting security vulnerabilities in various OAuth 2.0 implementations. Explore root causes, and improve your security practices to mitigate against similar future exploits.

Security must be an integral part of any development project. This book shares best practices in designing APIs for rock-solid security. API security has evolved since the first edition of this book, and the growth of standards has been exponential. OAuth 2.0 is the most widely adopted framework that is used as the foundation for standards, and this book shows you how to apply OAuth 2.0 to your own situation in order to secure and protect your enterprise APIs from exploitation and attack.

What You Will Learn

  • Securely design, develop, and deploy enterprise APIs
  • Pick security standards and protocols to match business needs
  • Mitigate security exploits by understanding the OAuth 2.0 threat landscape
  • Federate identities to expand business APIs beyond the corporate firewall
  • Protect microservices at the edge by securing their APIs
  • Develop native mobile applications to access APIs securely
  • Integrate applications with SaaS APIs protected with OAuth 2.0

Who This Book Is For

Enterprise security architects who are interested in best practices around designing APIs. The book is also for developers who are building enterprise APIs and integrating with internal and external applications.

About the Author

Prabath Siriwardena is an identity evangelist, author, and a blogger with more than 12 years of industry experience in designing and building critical Identity and Access Management infrastructure for global enterprises, including many Fortune 100/500 companies. He spent most of his time in last 12 years with the WSO2 IAM team, in leading the development of the open source WSO2 Identity Server, which is used by hundreds of top companies and more than 500 Universities globally, and also within the open source communities. WSO2 Identity Server is one of the top leading open source access management products. It serves more than 100 million identities globally and handles more than 1 million authentication requests on daily basis.

As a technology evangelist, Prabath has published seven books, including Microservices Security in Action (Manning) , Advanced API Security (Apress) and Microservices for the Enterprise (Apress). He blogs on various topics from blockchain, PSD2, GDPR, IAM to microservices security. He also runs a YouTube channel.

Prabath has spoken at RSAConference, Identiverse (Cloud Identity Summit), European Identity Conference (Keynote 2015), Consumer Identity World USA (Keynote 2018), API World (Advisory Board 2018), Microservices World, API Strategy & Practice Con, QCon, OSCON, LASCON, Cloud Security Alliance, Block World, Ellucian Live and WSO2Con (Keynote 2018) - and travelled the world conducting workshops/meetups to evangelize IAM communities. He is also the founder of the Silicon Valley IAM User Group, which is the largest IAM meetup in the San Francisco Bay Area.

In this Book

  • APIs Rule!
  • Designing Security for APIs
  • Securing APIs with Transport Layer Security (TLS)
  • OAuth 2.0 Fundamentals
  • Edge Security with an API Gateway
  • OpenID Connect (OIDC)
  • Message-Level Security with JSON Web Signature
  • Message-Level Security with JSON Web Encryption
  • OAuth 2.0 Profiles
  • Accessing APIs via Native Mobile Apps
  • OAuth 2.0 Token Binding
  • Federating Access to APIs
  • User-Managed Access
  • OAuth 2.0 Security
  • Patterns and Practices


Rating 4.7 of 31 users Rating 4.7 of 31 users (31)
Rating 4.5 of 19 users Rating 4.5 of 19 users (19)


Rating 3.0 of 2 users Rating 3.0 of 2 users (2)
Rating 4.4 of 22 users Rating 4.4 of 22 users (22)
Rating 4.5 of 70 users Rating 4.5 of 70 users (70)