Welcome back to Part 4 of the great RESTful framework showdown! If you have not read the previous blogs they can be found here. Today we will be addressing the all-important issue of securing our RESTapi and how the frameworks interact with our current security framework. At OptimalBI we have recently adopted using Gluu and SAML as our Single Sign-On security framework for securing access to webpages and apps that we build.
To read more about Gluu and SAML read the blog written by Ben Lee here and the resulting series on building up a Gluu infrastructure starting here.
So why do we care about this SAML thing anyway? For us, on a day-to-day basis, SAML acts as an SSO (Single Sign-On) system that allows a user to log in once and visit many pages. This means that for applications like Qlik or custom web applications that span multiple servers, users should only ever see the login screen once.
SAML also works as authorisation where each users information contains a list of groups that they belong to. For a RESTapi this allows us to segments routes or data to only be accessible to users that have permission to view that piece of data.
Stage Four – Security Integration Assessment
So what do the frameworks that have made it this far have to offer in the SAML department? Lets have a look!
The frameworks left are: ASP.Net Core, AWS API Gateway, Node.js on Express, Node.js on Restify, and Python on Flask.
ASP.Net has functioning SAML integration which would fulfil our needs, but one of the required packages has not yet been ported to the .Net Core libraries. This means that this functionality would not work natively on Linux and would require Mono or a similar framework to get it running. This has been known to cause both performance and functionality issues so at this time ASP.Net Core fails the Security Integration Test.
AWS API Gateway
AWS API Gateway has added custom authorises. This system allows API Gateway to trigger a Lambda that returns an authorised or not authorised message, which is then cached and then the API allows (or denies) access to the requested resource. This means that the API can use SAML as an authentication provider, but this must be built using node.js or python code in a Lambda call. An example of how this works (for the auth0 service) can be found here. While this is not a drop and run style solution it is a very extensible and elegant solution and worth the small initial investment of development time. That is a pass for AWS API Gateway.
Node.js on Express, Node.js on Restify
Node.js has a library called passport-saml. This is an authentication provider for Passport which is a middleware tool for authentication. passport-saml is just one of many authentication strategies supported by passport, which means that passport is a very extensible system. For Restify there is a port of the passport-saml library called passport-saml-restify. With both of these libraries being available and well documented implementing SAML security for our RESTapi endpoint should not be an issue for node.js.
Python on Flask
Python has some good libraries to connect to the GLUU server including some from GLUU themselves (found here).
As well as the GLUU made one we have a few solutions that work well for SAML, the main one can be found here.
So ASP.Net Core fell off our list, but the rest of the frameworks remain strong. That leaves us with the Express.js, Restify, Flask, and API Gateway! That’s it for this edition of the great RESTapi showdown, see you next time!
Tim Gray – Coffee to Code
You can read Tim’s “What’s The Best Restful Web API Framework” Part 1, Part 2, Part 3, Part 5 and Part 6 to get the whole picture.