🏠 Analogy
Threat modeling is walking around your house thinking like a burglar: which windows are unlatched, did you leave a key under the doormat, is the back door stronger than the side gate? Authentication is the lock that proves who is at the door; authorization is the rule about which rooms each guest may enter. A steel front door with the key under the mat is security theatre.
Start left: threat modeling
Security is the often-deferred concern that does the most damage when neglected. The mindset is to “start left” — make security a foundation in design, not a bolt-on. Threat modeling identifies threats, attacks, vulnerabilities, and countermeasures; you can only mitigate what you have identified. You do not need to be an expert — the key skill is to think like an attacker.
The repeatable six-step process: (1) identify objectives, (2) gather information, (3) decompose the system (usually with a Data Flow Diagram of external entities, processes, datastores, flows, and trust boundaries), (4) identify threats, (5) evaluate risk, (6) validate — recursively and continually.
Apply STRIDE per element and prioritise with DREAD:
graph TD S["Spoofing → authenticate every request"] T["Tampering → validate input, prepared statements, guard mass assignment"] R["Repudiation → logging and monitoring"] I["Information disclosure → avoid excessive data exposure / asset sprawl"] D["Denial of service → rate limiting and load shedding"] E["Elevation of privilege → enforce authorization (RBAC)"]
DREAD scores qualitative risk as (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5. Pair this with the OWASP API Security Top 10. The financial stakes are real — the average data-breach cost in 2021 was $4.24M, and GDPR fines have reached hundreds of millions.
Some controls can't live at the gateway
‘Trust, but verify’: gateway checks (input validation, TLS termination, header allowlists) are a last line of defence, not a replacement for service-level controls. Mass assignment (an ORM binding a malicious read-only field) cannot be solved at the gateway — it must be guarded inside the API.
Authentication vs authorization
- Authentication verifies who the caller is (username/password + MFA; machine-to-machine via keys or certificates).
- Authorization decides what an authenticated caller may do — enforced on every endpoint.
API keys identify a system (cryptographically random, ~256-bit) but must never be trusted to assert who the end user is. Do not allow HTTP Basic (it means handing over a username and password). The right answer for credential-free delegated access is OAuth2.
OAuth2: delegated access
OAuth2 is the de facto token-based authorization framework: a user consents that a third-party app may access their data — the consent is the authorization. Four roles: Resource Owner, Authorization Server, Client, Resource Server. Tokens are usually JWTs carrying signed claims (iss, sub, aud, exp, …); a JWS-signed JWT provides integrity and is validated in-process with no DB lookup (use JWE if you need encryption). Keep tokens short-lived (1–60 min); use revocable refresh tokens for UX.
Pick the grant by client type:
- Authorization Code + PKCE — public clients (SPAs, mobile). PKCE (Proof Key for Code Exchange) sends a hashed
code_challengethen thecode_verifier, mitigating code interception. The most common grant. - Authorization Code — confidential web apps that can protect a secret.
- Client Credentials — machine-to-machine, no resource owner; often the easiest way to introduce OAuth2.
- Device Authorization — input-constrained devices (IoT).
Avoid the Implicit grant (replaced by Auth Code + PKCE) and the Resource Owner Password Credentials grant.
sequenceDiagram participant U as User participant C as Client (SPA) participant AS as Authorization server participant RS as Resource server C->>AS: authorize request with code_challenge AS->>U: prompt login and consent U-->>AS: approve AS-->>C: authorization code C->>AS: exchange code with code_verifier AS-->>C: access token C->>RS: call API with access token
OIDC adds identity
OAuth2 grants API access but not user identity. OIDC (OpenID Connect) adds an identity layer: the client requests the openid scope and receives an ID token (a JWT of user claims), enriched by profile, email, and similar scopes.
Scopes are not permissions
OAuth2 scopes are coarse-grained, user-consented limits shown on a consent screen — they are not a substitute for entitlement enforcement. A user can grant a client a permission the user does not themselves have, so every endpoint still needs an authorization check (typically RBAC) to prevent BOLA (Broken Object Level Authorization). The gateway can usefully enforce scopes, but it is not the whole story.
Don't build your own identity layer
Never use an ID token as an access token (it is long-lived and meant to convey user info), and don’t roll your own identity layer — use a provider that supports OIDC. Always send tokens over HTTPS, and prefer in-process-validatable JWTs over per-request DB lookups.
See also
- API gateways — TLS termination and scope enforcement at the edge.
- Service mesh — mTLS and service identity for east–west traffic.
- Rate limiting and quotas — mitigating denial-of-service.
When to use it — and when not
✅ Reach for it when
- You are exposing an API to external consumers or third parties.
- You need to delegate access on a user's behalf without sharing credentials.
- You are reviewing an architecture for security weaknesses before release.
⛔ Think twice when
- Never skip it — but don't reinvent an identity layer; use an OIDC provider instead.
- Don't rely on gateway checks alone as a substitute for service-level controls.
Related topics
The single entry point for north–south traffic — a control-plane/data-plane reverse proxy that reduces coupling, simplifies consumption, and protects and meters your APIs.
api-managementService MeshA pattern for managing all east–west service-to-service traffic — routing, reliability, observability, and mTLS — via sidecar proxies coordinated by a separate control plane.
api-managementRate Limiting and QuotasProtect APIs from overuse and abuse: rate limiting rejects on per-request properties, load shedding rejects on system state — using fixed/sliding window or token/leaky bucket algorithms.
Check your understanding
Score: 0 / 41. What does each letter of STRIDE represent?
STRIDE (Garg & Kohnfelder, Microsoft) is applied per element — each process and connection — to enumerate threat categories.
2. In OAuth2, what is the access token for, versus an OIDC ID token?
OAuth2 grants API access but not identity; OIDC adds an identity layer (the openid scope and an ID token). ID tokens are long-lived and must never be used as access tokens.
3. Which OAuth2 grant should a public client (SPA) use?
Public clients cannot protect a secret, so they must use Authorization Code + PKCE (Proof Key for Code Exchange); Implicit and ROPC are discouraged.
4. Why are OAuth2 scopes NOT a substitute for authorization enforcement?
Scopes are coarse-grained, user-consented limits; they don't equal effective access. Enforce authorization (RBAC) on every endpoint to prevent BOLA.
Comments
Sign in with GitHub to join the discussion.