OAuth mTLS – An Introduction to Mutual TLS for APIs

When the Internet was conceived, its creators weren’t able to anticipate how complex user authentication and privacy would become. Developers have had to create new solutions over time for things like protecting credit card numbers and other personally identifiable information that can lead to unpleasant results like identity theft or leaking of confidential company data if such information falls into the wrong hands. SSL and TLS are two important technologies that have defined this kind of security for the modern internet. In this article, we’ll offer a brief explanation of TLS and the newer mutual TLS (mTLS) protocol, and how these help make APIs more secure.

TLS in Brief

Transport Layer Security, or TLS, is the current gold standard when it comes to securing internet connections. So how does it work? When a client connects to a server, that server responds with a certificate that verifies the server’s identity and allows for a secure, i.e., encrypted connection between the client and the server. These certificates are issued by trusted authorities, including commercial options like DigiCert and open source solutions like Let’s Encrypt.

Mutual TLS Overview

Now that you understand the basics of TLS, how does mTLS build on it? In the previous section, we only mentioned a certificate coming from the server in the basic version of TLS. But in mTLS, both the client and the server send each other certificates, therefore putting the “mutual” in mTLS. The mTLS approach is most commonly used for service-to-service connections like microservices or service meshes, both of which are common for APIs.

How mTLS Works for OAuth 2.0

While mTLS is highly effective at securing service-to-service connections, it’s less ideal for client-to-server connections. Since mTLS works at a lower level than an individual client-server request, the server is always going to assume that once a given client is authenticated, any request from that client is also properly authenticated. However, anyone who’s experienced attacks such as SQL injections or cross-site scripting (XSS) knows that client sessions can be overtaken by malicious actors, meaning that further identification is often desired.

This further identification can be achieved by adding OAuth 2.0, a common authorization standard. OAuth 2.0 works by binding access tokens to authentication certificates and can also be used to revoke access if necessary. When combined with mTLS, this means that both the access token and the authentication certificate need to be present for a successful connection.

Benefits of OAuth mTLS

The main advantage gained from combining OAuth 2.0 and mTLS (OAuth mTLS) is an additional layer of security. Since the two layers of security are of different types, that means it’s more difficult to compromise both of them, which would be necessary for an attack. Using mTLS ensures that the connection is secure, and adding OAuth 2.0 ensures that the individual session is secure. This extra security makes a connection less vulnerable to session hijacking attacks.

Now you have a basic understanding of OAuth mTLS, and how you can use it to make client-server connections more secure. If you wish to study these ideas in more depth, check out the OAuth mTLS documentation and this blog post from API security expert Neil Madden.