Managing Authentication on REST APIs
The scenario is, I want to manage authentication in several REST APIs deployed in different environments.
I've been reading about the Vault, and apparently, it has this feature.
With Vault is possible that my application only needs to make a request to the vault and be able to authenticate to an external API (properly configured) using only the alias? Without the need to store on my application user/password/token of the external API?
I wonder if anyone has had experience using Vault this way, and what are the pros and cons
Or if someone recommends something else to achieve this
UPDATE:
I found a question like I was looking for on SO https://stackoverflow.com/questions/57703943/how-to-allow-single-sign-on-for-al-clients-in-keycloak
Vault can authenticate its clients for its services. It can also delegate authentication to its services to say, GitHub or some OpenID connect provider.
But whatever method/protocol you choose, the pattern is always a client authenticates to Vault, not to your REST API.
Keycloak is more what you are looking for, as it is a general purpose Identity Provider.
The pattern you are looking for is something like this:
- API clients authentificate to an Identity Provider
- They get "something" in return, often a signed JSON Web Token (JWT)
- They send their JWT in the Authorization http header of their REST API call
- Whichever REST API receives the request validates the JWT signature using the Identity Provider's public key