New WSO2 White Paper Examines How to Build an Ecosystem for API Security

Share Article

White paper discusses best practices for creating an effective API security ecosystem that takes advantage of OAuth 2.0, OpenID Connect, SAML, XACML, and other open standards.

WSO2 delivers the only complete open source enterprise SOA middleware stack purpose-built as an integrated platform to support today’s heterogeneous enterprise environments—internally and in the cloud

Enterprises are realizing the need for both public and private APIs to be protected, monitored and managed.

As enterprises recognize APIs for their ability to expose business functionality to the outside world, they are also realizing the need for both public and private APIs to be protected, monitored and managed. However, IT organizations often struggle to identify and isolate the tradeoffs among the many API security options available today. To assist IT professionals, WSO2 has published a new white paper that discusses best practices for building an ecosystem to support open standards and strengthen API security.

Building API Security with Open Standards

The white paper, "Building an Ecosystem for API Security,” was written by WSO2 Director of Security Prabath Siriwardena. He begins by reviewing the OAuth security standard, evaluating the key advantage between OAuth 1.0 and OAuth 2.0. Prabath also examines several OAuth profiles discussed under the Internet Engineering Task Force (IETF) OAuth working group at the moment, including the Bearer Token Profile, MAC Token Profile, Security Assertion Markup Language (SAML) 2.0 Bearer Assertion Profile, and JSON Web Token (JWT) Bearer Profile.

Prabath next explores OAuth 2.0 extensibility and improvements for token introspection, server metadata, user-managed access, token revocation, resource owner initiated delegation, and token chaining. He also discusses how OpenID Connect builds an identity layer on top of OAuth 2.0 for authentication.

Prabath then examines how to build an API security ecosystem that includes a Key Manager (Authorization Server), API Publisher, API Store, and API Gateway using WSO2 Identity Server, WSO2 API Manager and WSO2 Business Activity Monitor (WSO2 BAM). Additionally, he dives into access patterns for users through either SAML 2.0 Web single sign-on (SSO) or a service-oriented architecture (SOA) service with WS-Trust, as well as fine-grained access control with the eXtensible Access Control Markup Language (XACML).

The new white paper can be downloaded at:

About the Author

Prabath Siriwardena, WSO2 director of security, is a member of the OASIS Identity Metasystem Interoperability (IMI) Technical Committee (TC), OASIS XACML TC, and OASIS Security Services (SAML) TC. Prabath is also a member of the Apache Axis Project Management Committee (PMC). He has delivered talks at numerous international conferences.

About WSO2

WSO2 delivers on the promise of the connected business with the only completely integrated enterprise platform that enables businesses to build, integrate and manage their APIs, applications, and Web services on-premises, in the cloud, and on mobile devices. Leading enterprise customers worldwide rely on WSO2’s award-winning, 100% open source platform and its robust governance and DevOps functionality for their mission-critical applications. Today, these businesses represent nearly every sector: health, financial, retail, logistics, manufacturing, travel, technology, telecom and more. Visit to learn more, or check out the WSO2 community on the WSO2 Blog, Twitter, LinkedIn, and Facebook.

Trademarks and registered trademarks are the properties of their respective owners.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Rebecca Hurst
Visit website