New WSO2 White Paper Examines How to Build an Ecosystem for API Security

White paper discusses best practices for creating an effective API security ecosystem that takes advantage of OAuth 2.0, OpenID Connect, SAML, XACML, and other open standards

Palo Alto, CA – February 26, 2014 – As enterprises recognize APIs for their ability to expose business functionality to the outside world, they are also realizing the need for both public and private APIs to be protected, monitored and managed. However, IT organizations often struggle to identify and isolate the tradeoffs among the many API security options available today. To assist IT professionals, WSO2 has published a new white paper that discusses best practices for building an ecosystem to support open standards and strengthen API security.

Building API Security with Open Standards

The white paper, "Building an Ecosystem for API Security,” was written by WSO2 Director of Security Prabath Siriwardena. He begins by reviewing the OAuth security standard, evaluating the key advantage between OAuth 1.0 and OAuth 2.0. Prabath also examines several OAuth profiles discussed under the Internet Engineering Task Force (IETF) OAuth working group at the moment, including the Bearer Token Profile, MAC Token Profile, Security Assertion Markup Language (SAML) 2.0 Bearer Assertion Profile, and JSON Web Token (JWT) Bearer Profile.

Prabath next explores OAuth 2.0 extensibility and improvements for token introspection, server metadata, user-managed access, token revocation, resource owner initiated delegation, and token chaining. He also discusses how OpenID Connect builds an identity layer on top of OAuth 2.0 for authentication.

Prabath then examines how to build an API security ecosystem that includes a Key Manager (Authorization Server), API Publisher, API Store, and API Gateway using WSO2 Identity Server, WSO2 API Manager and WSO2 Business Activity Monitor (WSO2 BAM). Additionally, he dives into access patterns for users through either SAML 2.0 Web single sign-on (SSO) or a service-oriented architecture (SOA) service with WS-Trust, as well as fine-grained access control with the eXtensible Access Control Markup Language (XACML).

The new white paper can be downloaded at:

About the Author

Prabath Siriwardena, WSO2 director of security, is a member of the OASIS Identity Metasystem Interoperability (IMI) Technical Committee (TC), OASIS XACML TC, and OASIS Security Services (SAML) TC. Prabath is also a member of the Apache Axis Project Management Committee (PMC). He has delivered talks at numerous international conferences.

About WSO2

WSO2 is the only company that provides a completely integrated enterprise application platform for enabling a business to build and connect APIs, applications, Web services, iPaaS, PaaS, software as a service and legacy connections without having to write code; using big data and mobile; and fostering reuse through a social enterprise store. Only with WSO2 can enterprises use a family of governed secure solutions built on the same code base to extend their ecosystems across the cloud and on mobile devices to employees, customers and partners in anyway they like. Hundreds of leading enterprise customers across every sector—health, financial, retail, logistics, manufacturing, travel, technology, telecom and more—in every region of the world rely on WSO2’s award-winning, 100% open source platform for their mission-critical applications. To learn more, visit or check out the WSO2 community on the WSO2 Blog, Twitter, LinkedIn, Facebook, and FriendFeed..