0

We intend to create a REST API that will be implemented on 100+ servers for use by a Centralized Management Portal (CMP). This CMP will itself have full access to the API (for scheduled tasks etc.) and the authorization is done on the CMP itself.

As an added security measure, all the 100+ servers' API can only be accessed from the CMP's IP Address.

In this circumstance, what would be the security advantage, if any, of using OAuth2 rather than a set of API Keys (unique for each server) that is stored as environment variables on the CMP? Upon reading this, it seems that our use case is somewhat different.

Ultimately, we were thinking that we could just open the CMP only to a subset of IP Addresses for those who need to access it, however, this may not be possible later down the track.

Matthew Knill
  • 252
  • 2
  • 7

1 Answers1

1

I would think about the API from the viewpoint of its clients:

  • How would a web or mobile client call the API securely?
  • How would the end user identity flow to the API?

If you don't need to deal with either of these issues then OAuth doesn't provide compelling benefits, other than giving you some improved authorization mechanisms:

USER v INFRASTRUCTURE SECURITY

I would use OAuth when user level security is involved, rather than for your scenario, which feels more like infrastructure security.

Some systems, such as AWS or Kubernetes, give you built in infrastructure policies, where API hosts could be configured to only allows calls from hosts with a CMP role.

I would prefer this type of option for infrastructure security if possible, rather than writing code to manage API keys.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Well the only effective client of the 100+ servers that each host their own API is the CMP so I would thus expect OAuth wouldn't really provide any compelling benefits as mentioned. – Matthew Knill Oct 26 '21 at 20:47