Your company is developing a mobile app with the support of the RESTful backend API gateway which receives articles from the mobile app and posts them across social media on behalf of the author. The API gateway creates copies in the database server so that authors can manage them. As an architect, you are designing the system architecture. Which of the following is the most feasible design decision?
A. The mobile app shall invoke API through HTTP POST to create and share articles.
B. IP whitelisting on the API gateway shall be enabled to enforce the authenticity of origin.
C. Rate limits, such as throttling and quotas, shall be applied to prevent the race condition.
D. SAML shall be implemented for authentication.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. The mobile app shall invoke API through HTTP POST to create and share articles.
The most prominent feature of a RESTful API is the prescriptive mapping between the HTTP methods and data operations. HTTP POST will create or add an article.
IP whitelisting is not feasible because mobile devices typically are not configured with static IP addresses. In the scenario of the supply chain, IP whitelisting makes sense because business partners can use fixed IP addresses.
Rate limits, such as throttling and quotas, prevent DoS or DDoS attacks, not race condition.
Authenticaion and Authorization
It must be authorized by the resource owner (author) for the backend server to post an article on social media. Before authorization, authentication must be completed. OIDC and SAML can be used to authenticate users. However, a combination of OIDC and OAuth 2.0 is the best fit for the internet and social media, as SAML is based on XML and difficult to integrate with OAuth. SAML is more suitable for business to business or supply chain integration.
In summary, SAML can be feasible, but it’s not the most feasible solution for authentication in this question. The following quotes demonstrate the obstacles to integrate SAML with OAuth.
“It is hard to find working examples of OAuth working with SAML.”
“Systems which already use SAML for both authentication and authorization and want to migrate to OAuth, as a means of the authorization, will be facing the challenge of integrating the two. It makes sense for such systems to keep using SAML as it is already set up as an authentication mechanism.”
- What is REST API? – A Comprehensive Guide To RESTful APIs
- How to Secure APIs
- 4 Most Used REST API Authentication Methods
- Create the Role of API Product Manager as Part of Treating APIs as Products
- Secure APIs
- Web API Security
- Why and How to Secure API Endpoint?
- 3 Ways to Secure Your Web API for Different Situations
- How does Okta use or implement REST APIs?
- What is API security?
- User Authentication with OAuth 2.0
- OAuth2 with SAML 2.0 Authentication
- OAuth2 with SAML2.0 Authentication
- SAML 2.0 Bearer Assertion Flow for OAuth 2.0
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
您的公司正在開發一個手機APP，後端是RESTful API的閘道器，它從手機APP接收文章並代表作者在社交媒體上發布。API的閘道器會在資料庫主機建立副本，以便作者可以對管理文章。 作為架構師，您正在設計系統架構。 以下哪項是最可行的設計決策？
A. 手機APP應通過HTTP POST調用API以創建和共享文章。
C. 應採用速率限制，例如節流和配額，以防止出現競爭狀況(race condition)。