Introduction
API Security is a top concern. Not only the part where end users are authenticated and authorized, but also the part where applications underneath get authenticated and authorized. In the world of end-users, passwords are considered too weak and complemented with a 2nd factor. In the world of applications, PKI with keypairs is the standard to exchange authorization codes, introspect access tokens or obtain access tokens themselves.
For applications to authenticate in an API world, a JWT token is signed with a keypair. Static keys with client certificate are the older ways of doing things. The preferred way is for client applications to use multiple keypairs and publish their public keys as a JSON Web Keyset (JWKS). The keypairs are rotated with a high frequency.
Internship assignment
During this internship, you will develop a framework on top of Google’s API Management platform to authenticate and authorize applications that authenticate with signed JWT, backed by public keys published as JWKS. And more importantly, you will also develop logic for the API gateway to authenticate with signed JWT against resource servers and authorization servers. Whereby the public keys of the API gateway are frequently rotated and published as JWKS.
The development will not be done with standard programming languages, but mainly by leveraging the built-in building blocks, the so-called “policies”, of Google’s API Management platform, Apigee. This product is one of top players in the world of API Management and API security. Complementary developments are done on Google cloud (GCP).
What you will do
As all internships, at least at i8c, there will be 3 main parts:
- Learn and understand what you will be doing. You will train yourself to fully grasp API management, API security and the Google Apigee product (i8c is a Google partner). You will start to understand what this internship is all about and you will build your first prototypes.
- The 2nd part is the heart of the internship. You build, but first design, the framework for authenticating with JWKS. A test-driven approach with strong focus on design first will be the path you follow.
- In the last part, you turn your developments into an open-source project that is fully documented, easy to learn and rock solid tested. This is also the time when you present and your implementation to the i8c team.
During this internship you will be coached by very experienced API security engineers. You will be treated as an i8c employee and participate in all internal events. You will be surrounded by a team that implements API security solutions and API management platforms at famous customers with a wide variety of top products (Apigee, Axway, AWS, Azure, IBM, SoftwareAG, …).
What you will do
- Applying API Security in a real-life context
- Working with API Management platform, Apigee from Google in particular
- API Security in detail: OAuth2 & OpenID Connect
- Low(er)-code software development (no standard programming)
What you will do
- You are a student who is not afraid of a challenge
- You are eager to learn new technologies
- You can work independently
- You understand REST APIs in context of web browsers
- You have basic API Security knowledge
