The power and flexibility of OAuth in the social media sector has given enterprise companies an impetus to start adopting the OAuth standard for their cloud-based enterprise identity management. A prime example of this adoption is based on a use case where a company’s email system is hosted in the Google cloud. Google cloud is the identity repository for the company’s users. The company has all its registered users validate their emails and passwords with Google cloud before being allowed access to company applications.
The figure below illustrates an architecture deployment of a company leveraging a cloud based identity management system to control access to its company applications.
Although, a cloud-based access control architecture may appear to be straightforward and simple, it can certainly pose several challenges for an organization:
- Company applications require modification to be OAuth enabled.
- Over time, scalability becomes an issue. As new applications are deployed, they must be integrated and tested for OAuth, which requires time and resources.
- This deployment doesn’t offer any centralized monitoring and enforcement.
- Performance becomes an issue when SSL is used by applications to exchange OAuth credentials with Google cloud.
If you add an API gateway to the architecture deployment, as shown above, it alleviates many of the challenges we discussed in the example where an API gateway is not deployed:
- No modifications are required to company applications. Applications are OAuth agnostic.
- Scalability is no longer an issue as new applications are deployed. Integration and testing of OAuth is no longer required with applications.
- Centralized monitoring and enforcement is easier with an API Gateway. API Gateway provides full visibility to who is accessing what resource.
- Performance is no longer an issue since an API gateway accelerates SSL traffic that contains OAuth credentials.
When it comes to deciding whether your company needs an API gateway in your architecture, there are several factors to evaluate. It’s important to evaluate how many applications are needed to achieve your business goals. If you have only one application and don’t have plans to add more in the future, you probably don’t need a gateway. However, if you are adding new applications services based on new business requirements, deploying an API gateway will save you a lot of time and resources while providing a more scalable and modular architecture.
OAuth White Paper
Enterprise Integration with Public Cloud Services using OAuth