Service Security
CategoryWeb Services Standards
Application service security enhancements ensure confidentiality and integrity of exchanged messages. They also include Identity and Access Management features that verify service consumers and enable third-party applications to obtain limited access to web resources.
Standards Overview
Identity Federation and API Access Control
In a secure web environment, the resource owner or intermediary may enforce security policies and make resource-related information selectively available depending on the security clearance of the service consumer.
Security in a service-based ecosystem focuses on those aspects of assurance that alleviate the accidental or malicious intent of other people to damage, compromise trust, or hinder the availability of web-enabled applications to perform the advertised functions. Security controls layered over application layer protocols, or enforced on service endpoints, ensure confidentiality, integrity and reliability of consumer-provider interactions.
The following publications describe standard mechanisms of protecting web API access and message content:
- RFC 7515 — JSON Web Signature (JWS)
- RFC 7797 — JWS Unencoded Payload Option
- RFC 7516 — JSON Web Encryption (JWE)
- RFC 7517 — JSON Web Key (JWK)
- RFC 7638 — JSON Web Key (JWK) Thumbprint
- RFC 7518 — JSON Web Algorithms (JWA)
- RFC 7519 — JSON Web Token (JWT)
- RFC 7520 — Examples of Protecting Content Using JOSE
- RFC 7165 — Use Cases and Requirements for JOSE
- RFC 6749 — OAuth 2.0 Authorization Framework
- RFC 6750 — OAuth 2.0 Authorization Framework: Bearer Token Usage
- RFC 6819 — OAuth 2.0 Threat Model and Security Considerations
- RFC 7009 — OAuth 2.0 Token Revocation
- RFC 7521 — Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- RFC 7522 — SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
- RFC 7523 — JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
- RFC 7591 — OAuth 2.0 Dynamic Client Registration Protocol
- RFC 7592 — OAuth 2.0 Dynamic Client Registration Management Protocol
- RFC 7636 — Proof Key for Code Exchange by OAuth Public Clients
- RFC 7662 — OAuth 2.0 Token Introspection
- RFC 8414 — OAuth 2.0 Authorization Server Metadata
- RFC 8473 — Token Binding over HTTP
- OAuth 2.0 Token Exchange
- OAuth 2.0 Token Binding
- OAuth 2.0 Mutual TLS Client Authentication
- Encoding Claims in the OAuth 2.0 State Parameter Using a JWT
- User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
- RFC 2289 — One-Time Password (OTP) System
- RFC 2243 — OTP Extended Responses
- RFC 4226 — HOTP: HMAC-based One-Time Password Algorithm
- RFC 6238 — TOTP: Time-based One-Time Password Algorithm
- RFC 2104 — HMAC: Keyed-Hashing for Message Authentication (SHA-1)
- RFC 6030 — Portable Symmetric Key Container (PSKC)
- OpenID Connect 1.0: Core
- OpenID Connect 1.0: Discovery
- OpenID Connect 1.0: Dynamic Client Registration
- OAuth 2.0 Multiple Response Type Encoding Practices
- OAuth 2.0 Form Post Response Mode
- OpenID Connect 1.0: Session Management
- OpenID Connect 1.0: Front-Channel Logout
- OpenID Connect 1.0: Back-Channel Logout
- OpenID Connect 1.0: Federation
- OpenID Connect 1.0: Profile for SCIM Services
- OpenID Connect 1.0: Basic Client Implementer's Guide
- OpenID Connect 1.0: Implicit Client Implementer's Guide
- WS-Security 1.1.1 — Web Services Security: SOAP Message Security 1.1.1
- WS-Security SwA Profile 1.1.1 — Web Services Security: SOAP Message with Attachments Profile 1.1.1
- WS-Security UNT Profile 1.1.1 — Web Services Security: Username Token Profile 1.1.1
- WS-Security X.509 Token Profile 1.1.1 — Web Services Security: X.509 Certificate Token Profile 1.1.1
- WS-Security Kerberos Token Profile 1.1.1 — Web Services Security: Kerberos Token Profile 1.1.1
- WS-Security SAML Token Profile 1.1.1 — Web Services Security: SAML Token Profile 1.1.1
- WS-Security REL Token Profile 1.1.1 — Web Services Security: REL Token Profile 1.1.1
- WS-SecurityPolicy 1.3 — Web Services Security Policy 1.3
- WS-SecureConversation 1.4 — Web Services Secure Conversation 1.4
- WS-Trust 1.4 — Web Services Trust 1.4
- WS-BasicSecurityProfile 1.1 — Basic Security Profile 1.1
- SAML 2.0: Assertions and Protocols
- SAML 2.0: Bindings
- SAML 2.0: Profiles
- SAML 2.0: Metadata
- SAML 2.0: Authentication Context
- SAML 2.0: Conformance Requirements
- SAML 2.0: Security and Privacy Considerations
- SAML 2.0: Glossary
- SAML 2.0: Metadata Extension for Query Requesters
- SAML 2.0: Asynchronous Single Logout Profile Extension 1.0
- SAML 2.0: Attribute Extensions 1.0
- SAML 2.0: Attribute Predicate Profile 1.0
- SAML 2.0: Attribute Sharing Profile for X.509 Authentication-based Systems
- SAML 2.0: Change Notify Protocol 1.0
- SAML 2.0: Channel Binding Extensions 1.0
- SAML 2.0: Condition for Delegation Restriction 1.0
- SAML 2.0: Deployment Profiles for X.509 Subjects
- SAML 2.0: Enhanced Client or Proxy Profile 1.0
- SAML 2.0: Holder-of-Key Assertion Profile 1.0
- SAML 2.0: Holder-of-Key Web Browser SSO Profile 1.0
- SAML 2.0: HTTP POST "SimpleSign" Binding
- SAML 2.0: Identity Assurance Profiles 1.0
- SAML 2.0: Information Card Token Profile 1.0
- SAML 2.0: Kerberos Attribute Profile 1.0
- SAML 2.0: Kerberos Subject Confirmation Method 1.0
- SAML 2.0: Kerberos Web Browser SSO Profile 1.0
- SAML 2.0: Metadata Extension for Entity Attributes 1.0
- SAML 2.0: Metadata Extensions for Login and Discovery User Interface 1.0
- SAML 2.0: Metadata Extensions for Registration and Publication Information 1.0
- SAML 2.0: Metadata Interoperability Profile 1.0
- SAML 2.0: Metadata Profile for Algorithm Support 1.0
- SAML 2.0: Protocol Extension for Requested Authentication Context
- SAML 2.0: Protocol Extension for Requesting Attributes per Request 1.0
- SAML 2.0: Session Token Profile 1.0
- SAML 2.0: Protocol Extension for Third-party Requests
- SAML 2.0: Shared Credentials Authentication Context Extension and Related Classes
- SAML 2.0: Subject Identifier Attributes Profile 1.0
- SAML 2.0: Text-based Challenge/Response Token Authentication Context Class
- SAML 2.0: X.500/LDAP Attribute Profile
- NIST SP800-95 — Guide to Secure Web Services
- NIST SP800-44 — Guidelines on Securing Public Web Servers
security
Identity Management standards for application services define end-user and system-level authentication methods for the purposes of obtaining access to web resources.
Access Management frameworks for application services describe mechanisms for delegated decisions to grant web resource access on behalf of their owners.
Message encryption and signature technologies ensure confidentiality and integrity of service interactions.
API access tokens denote specific scope, lifetime and permissions to use web resources.