You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Problem Statement

API security needs to be made an integral part of the API design process. Yet too often API designers' approach to security (authentication, authorization and access control) has been ad hoc and perfunctory. There is as yet no comprehensive set of best practices and the relevant standards work is characterized by contention and lack of finality. 

Stakeholders, Influencers and Influences

Different audiences will need to be invited to engage on different aspects of this work. It will be important for team members to bring the perspective and represent the interests of at least the following stakeholder groups:

  1. API designers and developers
  2. Campus API and security service providers
  3. Campus integration teams
  4. Application developers

Charter

The TIER API Security Task Force must keep in mind that TIER design and development teams are the first and most important audience for WG deliverables. Those teams will be the ones implementing concrete APIs, using them to integrate component services with each other and with other systems at the adopting campuses. To that end, the WG must establish and maintain effective two-way communication with the design and development teams.

The Task Force must address at least the following areas:

  • Authentication of the API client and/or the user on whose behalf the call is being made
  • Application of appropriate access control over API access at the level of specific API methods
  • When used to retrieve a resource representation, the API must filter the returned information so that data access policies are enforced

The Task Force must sequence its work in a way that gives priority to prescribing early guidance to the APIs whose security issues are the most serious.

Membership

Membership in the Working Group is open to all interested parties. Members join the Working Group by subscribing to the mailing list, participating in the phone calls, and otherwise actively contributing to the work of the group. The chair of the Working Group is appointed by TIER and is responsible for keeping TIER and InCommon TAC informed regarding Working Group's progress.

Deliverables Timeline

By April 2017

  • Complete a first draft of a TIER API Security Recommendations document and invite community review

  • Work with API developers to build and test a guideline-conforming security solution for a specific API

 

Request for Internet2 Assistance:  N/A


See Also

TIER Data Structures and APIs Working Group Home

TIER Entity Registry Working Group

TIER Working Groups Home

InCommon Working Groups

  • No labels