{"id":208,"date":"2022-04-08T14:14:17","date_gmt":"2022-04-08T13:14:17","guid":{"rendered":"https:\/\/42crdev.prexihost.com\/?page_id=208"},"modified":"2023-02-10T15:36:27","modified_gmt":"2023-02-10T15:36:27","slug":"api-access-control","status":"publish","type":"page","link":"https:\/\/staging2022.42crunch.com\/api-access-control\/","title":{"rendered":"API Access Control"},"content":{"rendered":"\n\n\t\t
API Access Control restricts access to APIs based on user or client roles and prevents unauthorized access to sensitive data. 42Crunch allows developers to define what actions each user role can perform within an API.<\/p>\t\t\n\t\t\t\t\t\t\t\n\t\t
Identification of API Security flaws and vulnerabilities.\u00a0<\/p>\t\t\n\t\t\t\t\t\t\t\n\t\t
Content validation, threat detection\u00a0and traffic throttling.<\/p>\t\t\n\t\t\t\t\t\t\t\n\t\t
Authentication, authorization and identity propagation.<\/p>\t\t\n
42Crunch prevents the incorrect implementation of authentication controls. Compromised authentication tokens are a common attack path for hackers to exploit implementation flaws in order to assume user’s identities temporarily or permanently. Compromising a system’s ability to identify the client\/user, compromises API security overall.<\/p>\n\t\t\t\t\n\t\t\t\t\n
Authentication enforcement starts at design time by preventing the deployment of APIs with weak authentication schemes. OAuth2 authorization server endpoints are also protected to only allow specific grant types, enforce scopes values and access token validity time. At runtime we validate the JSON Web Token (JWT) according to the RFC 8725.<\/p>\n
At runtime, 42Crunch ensures that only verbs and paths defined in the OpenAPI contract are called. At design-time our audit discovery mechanisms in the CI\/CD<\/a> uncover shadow APIs and automatically audit and report them.<\/p>\n\t\t\t\t\n\t Philippe De Ryck<\/p>\n\t Standards such as OAuth 2.0 and OpenID Connect rely heavily on JSON Web Tokens (JWTs) for sensitive features, such as authentication and authorization. Industry expert, Philippe De Ryck explains how to avoid security pitfalls.<\/p>\nBLOG<\/h4>\n
\n\t\t\n\t\tHow to Avoid the Security
Pitfalls of JWT\n\t\t<\/a>\n\t<\/h2>\n\t\t\t\t\n\t\n\t\tReady to Learn More?\n\t<\/h2>\n\t