Abstract
Identity delegation plays a key role in securing APIs. Most of the resources on the Web today are exposed over APIs. The Facebook API exposes your Facebook wall, the Twitter API exposes your Twitter feed, Flickr API exposes your Flickr photos, Google Calendar API exposes your Google Calendar, and so on. You could be the owner of a certain resource (Facebook wall, Twitter feed, etc.) but not the direct consumer of an API. There may be a third party who wants to access it on your behalf. For example, a Facebook app may want to import your Flickr photos on behalf of you. Sharing credentials with a third party who wants to access a resource you own on your behalf is an antipattern. Most web-based applications and APIs developed prior to 2006 utilized credential sharing to facilitate identity delegation. Post 2006, many vendors started developing their own proprietary ways to address this concern without credential sharing. Yahoo! BBAuth, Google AuthSub, and Flickr Authentication are some of the implementations that became popular.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Session fixation, www.owasp.org/index.php/Session_fixation
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 Prabath Siriwardena
About this chapter
Cite this chapter
Siriwardena, P. (2020). The Evolution of Identity Delegation. In: Advanced API Security. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-2050-4_16
Download citation
DOI: https://doi.org/10.1007/978-1-4842-2050-4_16
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-2049-8
Online ISBN: 978-1-4842-2050-4
eBook Packages: Professional and Applied ComputingApress Access BooksProfessional and Applied Computing (R0)