One of the key questions which comes up in API Management is about
which authentication scheme to use. Gunnar Peterson has written, in a
different context, about the benefit to the security architect of providing a menu of authentication schemes to use.
Some clients are limited by what authentication scheme they can handle,
and by providing a "menu" of authentication schemes at the API Gateway
level, this can be handled. Within a policy (expressed as a "circuit" in
the Vordel Gateway) you can handle clients differently depending on how
So which API authentication schemes are on the "menu"? Of course there is HTTP Digest Auth and mutual SSL. But there are specific API authentication schemes similar to Amazon's Query API authentication. If you want to learn more about this API authentication option, then on the Vordel website there is a video example showing API authentication for iPhone apps and Facebook as clients.
If you push the video on to the 20 minute mark, and listen for a few
minutes, you can learn about how the Vordel Gateway provides the API
security, making use of HMAC digests with SHA1. If you're familiar with
the Amazon Web Services Query authentication, you will recognize this:
So the options for API authentication balance flexibility (providing customers with a menu of authentication options) and security (policies which vary access depending on which scheme the client uses). A Gateway provides this balance, versus hardcoding the scheme into the API itself.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)