Creating an “Open API platform” that exposes the core data and functionality of your services to partners and developers often requires the implementation of a dedicated API management solution. API management solutions act as a “gateway” that handles external API requests and provides a wide range of API sharing capabilities, from traffic control to access analytics. These include OAuth 2.0, which is required for API access authorization, and OpenID Connect (OIDC), which is essential for identity information distribution.
However, the built-in OAuth/OIDC functionality in API gateways is often not suitable for open APIs. For example, some solutions do not support the ever essential PKCE, or add proprietary parameters to OAuth/OIDC interactions. For other solutions, the only system that can be used to manage the users and groups needed to authorize API access is the company’s own solution, making migration difficult if an identity management infrastructure is already in place.
Most API management solutions provide frameworks for adding functionality, so it is technically possible to implement and integrate the necessary OAuth/OIDC extension specifications. However, there is a significant amount of work involved in keeping up with trends in OAuth/OIDC extension specifications, implementing them properly according to the framework, and maintaining them once they are integrated into the API management solution is significant. In addition, depending on the application, it may be necessary to comply with specifications that are difficult to implement by grafting onto standard API management solution features, such as FAPI, which defines more advanced OAuth security, and CIBA, which extends the use cases of APIs.
By replacing the OAuth/OIDC functionality of the API gateway with Authlete, you can quickly achieve OAuth/OIDC compliance without being affected by the state of your API management solution. Since Authlete is designed to operate entirely as a backend service, it’s possible to implement and operate OAuth/OIDC APIs, such as the authorization endpoint and token endpoint, as one of the endpoints managed by the API gateway, resulting in efficiency in managing the entire open API platform.
Because Authlete follows the latest OAuth/OIDC specifications, it's possible to build an API authorization foundation that always complies with industry standards, regardless of the status of the API management solution.
As Authlete works entirely in the backend, you can implement OAuth/OIDC-related endpoints on the API gateway and manage them in the same way as other APIs.
Authlete API is environment agnostic, allowing you to implement user authentication and access authorization involved in OAuth/OIDC processing using any IAM system.
Authlete offers three types of service systems: shared cloud, dedicated cloud and on-premises packages, allowing you to choose the form of deployment according to the scale and features of the open API infrastructure.