This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Client Credentials Grant Type - Transmitting Client ID and Client Secret Securely

Posted on 05-28-2019 07:17 PM
nathanaw
New Member
Reply posted on --/--/---- --:-- AM

For Client Credentials Grant Type,

1. how are some ways one can transmit Client ID and Client Secret Securely to authorised personnel?

2. Best security practices to ensure that APIs are not misuse/abused in the client credential grant type

0 6 266
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM 
1. how are some ways one can transmit Client ID and Client Secret Securely to authorised personnel?
  • Passing credentials manually is an anti-pattern and should never be followed.
  • Expose the APIs in a Developer Portal(Portal).
  • Ask internal/external/every developer(app developers) to create accounts on the portal.
  • App developers can create Applications on the Portal to get the credentials.
2. Best security practices to ensure that APIs are not misuse/abused in the client credential grant type
  • Client credential grant type is used for machine-machine interaction where a user/human intervention is not required.
  • As extra security not specific to client credential grant type, Apigee ProductOwner/Admins can disable auto-credentials creation on application creation.
  • So when app developers create applications on portal he/she will not get the credentials immediately.
  • An Apigee Product Owner/Admin can check the developer/application details and then can grant/deny access.

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to sidd-harth
Reply posted on --/--/---- --:-- AM

YES

Use the Developer Portal

That's exactly the purpose.

0 Likes

Posted on --/--/---- --:-- AM
nathanaw
New Member
In response to sidd-harth
Reply posted on --/--/---- --:-- AM

Thanks but what if my API is only exposed to a partner for their internal consumption -- would it be an overkill to allow partner to access developer portal just for this purpose? As I am both the owner and operator of the platform, control is something one needs.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to nathanaw
Reply posted on --/--/---- --:-- AM

I don't understand the modification you're making to the original question.

Your original question was: How can I distribute API credentials securely?

And the answer to that is: user a webapp that authenticates users, and allows them to provision their own keys, and require them to login and connect over HTTPS; in short, use the Developer Portal.

Your modification of the question seems to be: What if I don't want that much security?

I don't know how to answer that. If you don't want to secure the distribution of API credentials, send them in email. If you do, use a developer portal.

0 Likes

Posted on --/--/---- --:-- AM
nathanaw
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I want secure distribution of API credentials, for sure. But opening developer portal to others might be challenging. is there a third way?

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to nathanaw
Reply posted on --/--/---- --:-- AM

Nathan, Your question amounts to

"I don't like this answer, please offer a different one."

The answer I have offered is the actual answer. You have asked twice for a different one. I keep giving you the same answer in different ways. Do you see the pattern?

0 Likes