Security is paramount when exposing microservices and APIs in any enterprise environment, especially within the SAP ecosystem. SAP Kyma, as a cloud-native platform built on Kubernetes, offers robust mechanisms to secure your extensions and applications. Two of the most common and essential authentication methods supported in Kyma are OAuth 2.0 and API Key authentication.
This article explores how to implement OAuth and API Key authentication in SAP Kyma, ensuring secure and controlled access to your APIs and services.
With SAP Kyma, your microservices and functions are often exposed via the API Gateway, allowing internal or external clients to consume them. Without proper authentication, APIs are vulnerable to unauthorized access, data breaches, and misuse.
Implementing strong authentication protocols like OAuth 2.0 and API Keys safeguards your resources, aligns with compliance requirements, and enables fine-grained access control.
OAuth 2.0: A widely adopted open standard for access delegation, allowing users or services to grant limited access to resources without exposing credentials. It supports flows like Authorization Code, Client Credentials, and more, often combined with tokens (JWTs).
API Key: A simple, token-based authentication method where clients present a key (string) with requests. Though less flexible than OAuth, API Keys are easy to implement and useful for service-to-service authentication or low-risk scenarios.
SAP Kyma can integrate with SAP Identity Authentication Service (IAS) or any compatible OAuth 2.0 provider.
Create an APIRule resource in Kyma to expose your API with OAuth security:
apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
name: my-service-apirule
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
service:
name: my-service
port: 80
rules:
- path: /.*
methods: ["GET", "POST"]
accessStrategies:
- handler: oauth2
config:
authorizationUrl: "https://<your-ias-domain>/oauth2/authorize"
tokenUrl: "https://<your-ias-domain>/oauth2/token"
clientId: "<client-id>"
clientSecret: "<client-secret>"
scopes:
- openid
- profile
Use an OAuth client to acquire a valid access token and call your API with the token in the Authorization header:
Authorization: Bearer <access_token>
Create API keys for your clients, either manually or using a key management system. Store these keys securely and distribute them only to authorized clients.
In Kyma, configure your API to require an API key by defining an APIRule with the apiKey handler:
apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
name: my-service-apirule
spec:
gateway: kyma-gateway.kyma-system.svc.cluster.local
service:
name: my-service
port: 80
rules:
- path: /.*
methods: ["GET", "POST"]
accessStrategies:
- handler: apiKey
config:
in: header
name: X-API-Key
Clients must include the API key in the specified header when making requests:
X-API-Key: <your-api-key>
SAP Kyma’s flexible security model supports both OAuth 2.0 and API Key authentication, allowing developers to tailor their security posture to the needs of their applications and clients. Implementing these authentication mechanisms ensures that your microservices and APIs remain secure, compliant, and accessible only to authorized users and systems.
By following the outlined steps, SAP developers can confidently expose services in Kyma with the right balance of security and usability.