REST-style APIs are quickly becoming a favorite among developers and architects because they are lightweight and easy to implement, particularly for mobile applications. However, because REST is a pattern (Representational State Transfer) rather than a standard, REST security can be tricky to implement in enterprises. Unlike SOAP APIs that are supported by the WS-Security set of standards, REST APIs can have different, incompatible security approaches across groups.
Axway API Gateway authenticates and authorizes REST API requests regardless of the different approaches used for REST security, making it just as easy to implement enterprise-strength protection and integration for REST APIs as it is for SOAP and other APIs.
Enforce message-level security across REST API traffic
Unlike network and web application firewalls, Axway API Gateway detects and prevents message-level threats for REST API traffic by:
Simplify access control and identity integration
To simplify authentication and authorization of REST API requests, Axway API Gateway provides out-of-the-box integration with CA, IBM, Oracle and other identity management platforms, and provides enhanced capabilities including identity federation, cloud single sign-on and fine-grained client-and application-based authentication.
In addition, Axway enables secure administration and storage of all forms of API security artifacts such as tokens, keys and certificates.
Use OAuth and SAML for identity federation
Consumer users often prefer to use their existing credentials from Google, Facebook, Twitter or other third-party identity providers to log in to an application. This is usually implemented using the OAuth 2.0 standard, and more specifically the three-legged OAuth pattern. Axway API Gateway provides comprehensive OAuth support to help API developers incorporate OAuth client, resource server, and authorization server capabilities into REST APIs.
Axway also supports SAML (Security Assertion Mark-up Language), which is more popular for enterprise federation scenarios, as well as XACML, X.509, Kerberos, OpenID and other popular authentication and authorization standards.