API authentication with the Citrix ADC appliance 编辑

There is a paradigm shift in the way modern applications interact with their clients. Traditionally, browser clients were used to access services. Applications usually set session cookies to track user context. Modern and distributed applications make it hard to maintain user sessions across microservices. Due to this, most of the application accesses have become API based. Clients that communicate with these distributed services have also evolved. Most clients obtain tokens from a trusted entity called Authorization Server to prove user identity and access. These clients then present the token to the application with each access request. Therefore, traditional proxy devices like Citrix ADC need to evolve to support these clients. A Citrix ADC appliance provides a way for administrators to handle such traffic. Citrix ADC can be deployed as an API Gateway to front-end all the traffic that destined to the published services. An API Gateway can be deployed for traditional (Hybrid Multi Cloud or HMC) or Cloud native environments. The API Gateway terminates all the inbound traffic to offer several services such as authentication, authorization, rate limiting, routing, caching, SSL offload, application firewall, and so on. Therefore, it becomes a critical component in the infrastructure.

Token types

Tokens exchanged during the API access mostly conform to the OAuth/OpenID Connect (OIDC) protocol. Access tokens that are used only for ‘delegated access’ conform to the OAuth protocol, whereas ID Tokens that comply with OIDC carry user information as well. Access tokens are normally an opaque or random blob of data. However, they can sometimes be singed tokens conforming to JWT (Json Web Token) standards. ID Tokens are always signed JWTs.

API Access with OAuth

OAuth authentication type on a Citrix ADC appliance can be used to handle both OAuth and OIDC protocols. OIDC is an extension to the OAuth protocol.

OAuthAction on a Citrix ADC appliance can be used to handle interactive clients such as browsers and native clients such as client apps. Interactive clients are redirected to Identity Provider for login using the OIDC protocol. Native clients can obtain tokens out of band and can present those tokens at a Citrix ADC appliance for access.

Note:

The access token obtained from endpoints can be cached for subsequent requests, thereby enhancing the API performance.

To configure token caching support by using the command line interface, type the following command at the command prompt:

set aaaparameter –apITokenCache <ENABLED>

<!--NeedCopy-->