Services often need to talk to each-other, but how should they control access?<p>In an ideal world, callers can prove who they are to services and services only grant access to a minimal set of consumers. There should be low boiler-plate for maintaining service identities and things like token revocation, secret rotation, etc. should be "easy". Bonus points for avoiding vendor lock-in.<p>What approach do you use for securing service-to-service access?
If both services are created and managed by you then you have these possibilities:<p>- API Key (quick & easy with <i>reasonable</i> security)<p>- OIDC (OAuth) (client now "pretends" to be a user, <i>or</i> acts on behalf of a user)<p>- Client Key Authentication (can be quick & easy if you have infrastructure in place)<p>All three approaches suffer from a common problem: secrets management. When using an API Key, it's the API Key itself that's the secret needing to be managed. When using OIDC the password is the secret needing to be managed. When using Client Key Authentication the client key is the secret needing to be managed.<p>Generally-speaking, you don't want to put your secret into your codebase and check it into git (or whatever source control system you're using).<p>How you manage these secrets depends on what platform you're on, and the languages and frameworks you're using or even whether your organization has setup a secrets vault. There's a dizzying number of options for managing secrets. Regardless of which route you go with managing secrets; these are the three main strategies you can use for securing your APIs.
The standard solution is to use digital keys and signatures. There is no need to reinvent the wheel here, just use the standard cryptographic constructions to verify that the requests are from trusted sources, e.g. <a href="https://medium.com/@georgwiese/hash-based-digital-signatures-almost-from-scratch-da57e54dd774" rel="nofollow">https://medium.com/@georgwiese/hash-based-digital-signatures...</a>