Tech spotlight: Securing access control across internal services
Tech spotlight: Securing access control across internal services
copy gray icon

Tech spotlight: Securing access control across internal services

November 14, 2022

Overview

Secure access control is a critical aspect of any successful platform or service. Unfortunately, data breaches have been increasing at an alarming rate over the last few years. While there is more attention than ever before on external threats and securing public attack surfaces, it’s essential to apply this same level of scrutiny to internal services. In the event that a bad actor does gain access to part of your system, approaches like the Zero Trust paradigm can mitigate their ability to traverse internal services. We must work hard to not only eliminate vulnerabilities, but also to minimize the blast radius of any single vulnerability.

Here at Pinwheel, we take pride in having the most secure payroll data connectivity API in the industry with an "A" grade Security Scorecard and certifications including ISO 27001. We are constantly looking for areas to level up our security posture. This includes projects this year focused on improving authn/z, access control, and auditing across our internal systems via standard frameworks and libraries. This blog post shares resources and suggestions that may help organizations improve their access control across internal services.

Background: The Cloud, OWASP, OAuth, and the evolving landscape of App Sec

Building secure services requires knowledge and skills across a variety of complex technical areas. Luckily, there are numerous resources available to support these efforts. Cloud computing providers often provide robust support around infrastructure and network security (e.g., shared responsibility models for AWS and GCP). They also tend to provide suites of security tooling that are straightforward to configure.

Regardless of infrastructure provider, developers are responsible for application level security. Organizations like the OWASP Foundation provide helpful resources to understand and address common application security threats. At the top of the latest OWASP Top 10 Web Application Security Risks is Broken Access Control, often resulting in unauthorized access to sensitive API resources. In the context of internal services, Broken Access Control can be the difference between a small and quickly contained security incident or a system-wide data breach that may take weeks or months to notice and remediate.

At the heart of access control is the mechanism or framework by which services can authenticate (authn) and authorize (authz) access throughout the system. OAuth2 is a robust framework for authn/z across a variety of scenarios, with supported Grant Types for different auth scenarios. For now, we’ll be focusing on the Client Credentials Grant that can be effective for internal service-to-service auth flows. OAuth2 also supports grant types and mechanisms for securing human-to-service flows that are essential for comprehensive access control.

Example Scenario with OAuth2 Solution

Our goal is to allow our internal documents-service to securely allow access from our internal trusty-service. There are a number of other internal services across the system, including the utility-service that should not have access to documents-service.

Let's show how we can accomplish this goal using the OAuth2 Client Credentials Grant flow per the following diagram:

Generating Access Tokens via OAuth2 Service

First, we need an OAuth2 service to authenticate trusty-service’s credentials and issue access tokens that can be used to communicate with documents-service. There are a variety of vendors (eg. Auth0) and open source projects (eg. Hydra or Keycloak) that provide OAuth2 implementations (see RFC 6749). For this example scenario we’ll be writing an overly-simplified OAuth2 service using Python’s FastAPI framework that only supports the Client Credentials Grant.

We assume the authenticate_client() function will securely validate the client’s credentials (argon2 or bcrypt can help) and the is_client_allowed_scope() function will reject clients requesting access to a scope they are not allow-listed to use.

What about the generate_access_token() function? We can create a JSON Web Token (JWT) or an opaque token that the client can use as temporary proof of identity. Every system and use case is different, for this scenario we will proceed to issue JWT access tokens that can be parsed and validated downstream without depending on extra requests to the OAuth2 service for every internal service request (higher availability + lower latency across the system).

JWTs provide cryptographically signed, not encrypted, JSON payloads with “claims” about the owner’s identity. While JWT signatures prevent tampering, the claims are visible to anyone and should never contain sensitive information. RFC 7523 and the PyJWT library can help us create our JWT access tokens.

We assume that get_signing_key() will return the key ID + private key of one of our valid asymmetric encryption (signing) keys. One important feature that we’re omitting in this example OAuth2 service is an endpoint for other services to fetch the key ID + public key for all valid signing keys. This is necessary for downstream services to validate JWT signatures and ensure they were created by the OAuth2 service. Please see RFC 7517 for more information on JSON Web Keys (JWKs).

Using Access Tokens as a Client

Now, we need trusty-service to fetch access tokens and pass them along in requests to documents-service. We’ll assume that we have a token_cache that will securely cache non-expired access tokens and use the requests library for our https requests.

Enforcing Access Control on Access Tokens

Finally, the documents service needs to validate access tokens and authorize access based on the authenticated identity claims. This can often be performed as part of API middleware or similar mechanisms such as FastAPI Dependencies.

The PyJWT library includes helpful features to validate standard claims, as specified in the JWT_REQUIREMENTS constant. We assume that jwk_cache provides the valid JWKs from our OAuth2 service mentioned above and that is_client_allowed_resource_action() applies business logic to determine if the authenticated client is allowed to proceed with their request.

Access Control Benefits and Additional Considerations

The OAuth2 flow shown above provides access control via short lived, cryptographically signed, specifically scoped tokens in a manner that should introduce minimal latency to our system. If a bad actor were to compromise the utility-service, they would have no way to access the documents-service. If a bad actor were to compromise an access token from the trusty-service, they would have a short window to perform actions allowed by the specific scope of the token.

This access control flow centralizes authentication of client credentials behind the OAuth2 service to reduce responsibility of downstream services and exposure of credentials. This also provides opportunity for streamlined (graceful) rotation of credentials without updates to downstream services.

Some opportunities to strengthen this access control flow include: 

  • Regularly rotating client credentials and JWKs
  • Logging + events (eg. SIEM) for authn/z attempts by both the OAuth2 service and downstream services (eg. documents-service) to maintain an audit trail and monitor for anomalous activity
  • Deny-list mechanisms for compromised JWTs (eg. using jti claim)
  • Injecting custom claims into access tokens for Attribute Based Access Control, in general ensuring fine-grained access policies that are secure (deny) by default
  • Regularly re-evaluating design choices as newly vetted and well supported options become available (eg. using PASETOs instead of JWTs or upgrading to more secure signing algorithms)
  • Standardizing authorization policies and decision-making across the system with tools such as Open Policy Agent (OPA)

That's it for now! Thanks for reading through some of these shared resources and suggestions that may help your organization improve their access control across internal services. 

Check out our related content down below to see other tech spotlights!

Always stay up to date

View our Privacy Policy   ➔
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Up next

The digital gap threatening credit unions—and how to close it

The digital gap threatening credit unions—and how to close it

Read more  ➔
Are Gen Z and Millennials your most valuable—and most underserved—banking customers?

Are Gen Z and Millennials your most valuable—and most underserved—banking customers?

Read more  ➔
Pinwheel Helping Power Robinhood Banking Deposits

Pinwheel Helping Power Robinhood Banking Deposits

Read more  ➔
Visa Launches Enhanced Subscription Manager, Giving Consumers Greater Control Over Recurring Payments

Visa Launches Enhanced Subscription Manager, Giving Consumers Greater Control Over Recurring Payments

Read more  ➔
OnePay Partners with Pinwheel

OnePay Partners with Pinwheel

Read more  ➔
Leighanne Levensaler joins Pinwheel as strategic advisor

Leighanne Levensaler joins Pinwheel as strategic advisor

Read more  ➔
River launches direct deposit powered by Pinwheel Deposit Switch

River launches direct deposit powered by Pinwheel Deposit Switch

Read more  ➔
KYC’s Killer App

KYC’s Killer App

Read more  ➔
J.D. Power confirms ROI of bank account "Soft Switching"

J.D. Power confirms ROI of bank account "Soft Switching"

Read more  ➔
Pinwheel welcomes Don Weinstein as an advisor

Pinwheel welcomes Don Weinstein as an advisor

Read more  ➔
Future of account onboarding

Future of account onboarding

Read more  ➔
How we help lenders unlock the value of Pay by Paycheck

How we help lenders unlock the value of Pay by Paycheck

Read more  ➔
Pay By Paycheck: The next big thing in lending

Pay By Paycheck: The next big thing in lending

Read more  ➔
A new chapter for Pinwheel

A new chapter for Pinwheel

Read more  ➔
Hey - remember us from tax season?

Hey - remember us from tax season?

Read more  ➔
Narmi x Pinwheel expand partnership with the Switch Kit

Narmi x Pinwheel expand partnership with the Switch Kit

Read more  ➔
Winning the war for primacy with digital innovation

Winning the war for primacy with digital innovation

Read more  ➔
Did the CFPB Eat Your Homework?

Did the CFPB Eat Your Homework?

Read more  ➔
Achieving loyalty with a differentiated digital experience

Achieving loyalty with a differentiated digital experience

Read more  ➔
​Revolutionizing digital banking: How Bill Manager drives engagement and growth

​Revolutionizing digital banking: How Bill Manager drives engagement and growth

Read more  ➔
Pinwheel expands PreMatch coverage to 45M Americans with addition of Paychex partnership

Pinwheel expands PreMatch coverage to 45M Americans with addition of Paychex partnership

Read more  ➔
Pinwheel Pulse: Q1 2025

Pinwheel Pulse: Q1 2025

Read more  ➔
Citadel Direct Deposit Manager is powered by Pinwheel

Citadel Direct Deposit Manager is powered by Pinwheel

Read more  ➔
Security Bank of Kansas City upgrades account onboarding with Pinwheel

Security Bank of Kansas City upgrades account onboarding with Pinwheel

Read more  ➔
Pinwheel partners with MoneyLion to power Direct Deposit Switching

Pinwheel partners with MoneyLion to power Direct Deposit Switching

Read more  ➔
Q&A with Meriwest Head of Digital Strategy, Gene Fichtenholz

Q&A with Meriwest Head of Digital Strategy, Gene Fichtenholz

Read more  ➔
Roster Mentality & Retail Banking

Roster Mentality & Retail Banking

Read more  ➔
Achieve primacy day one

Achieve primacy day one

Read more  ➔
Pinwheel Pulse: 2024 Year in Review

Pinwheel Pulse: 2024 Year in Review

Read more  ➔
Why credit unions have a neighborhood advantage

Why credit unions have a neighborhood advantage

Read more  ➔
The Product Pulse

The Product Pulse

Read more  ➔
Introducing Bill Manager

Introducing Bill Manager

Read more  ➔
PreMatch results are in

PreMatch results are in

Read more  ➔
How we achieve the industry’s best conversion rates

How we achieve the industry’s best conversion rates

Read more  ➔
Automated direct deposit is powering the next generation of growth for credit unions

Automated direct deposit is powering the next generation of growth for credit unions

Read more  ➔
Nassau Financial Credit Union Selects Pinwheel As Direct Deposit Switch Partner

Nassau Financial Credit Union Selects Pinwheel As Direct Deposit Switch Partner

Read more  ➔
SafeLink expands access to frictionless experiences

SafeLink expands access to frictionless experiences

Read more  ➔
Industry leaders talk consumer bank switching behaviors

Industry leaders talk consumer bank switching behaviors

Read more  ➔
The branch of the future

The branch of the future

Read more  ➔
Giving credit where it’s due

Giving credit where it’s due

Read more  ➔
Trust and Verify

Trust and Verify

Read more  ➔
Citizens & Pinwheel talk primacy

Citizens & Pinwheel talk primacy

Read more  ➔
Be the Amazon of banks  

Be the Amazon of banks  

Read more  ➔
Enhancing digital trust: Inside Pinwheel's commitment to security

Enhancing digital trust: Inside Pinwheel's commitment to security

Read more  ➔
Who’s making money moves in 2024?

Who’s making money moves in 2024?

Read more  ➔
Consumer bank switching behavior demystified

Consumer bank switching behavior demystified

Read more  ➔
The metrics you care about the most are now available in real-time

The metrics you care about the most are now available in real-time

Read more  ➔
New Jack Henry partnership makes it easier for community banks to take advantage of Pinwheel

New Jack Henry partnership makes it easier for community banks to take advantage of Pinwheel

Read more  ➔
 Pinwheel's CMO discusses bank competition for primacy in 2024

Pinwheel's CMO discusses bank competition for primacy in 2024

Read more  ➔
Introducing the next generation of Automated Direct Deposit Switching

Introducing the next generation of Automated Direct Deposit Switching

Read more  ➔
Fraud Fighers Chapter 1: Know Your Fraudster

Fraud Fighers Chapter 1: Know Your Fraudster

Read more  ➔
Know Your Fraudster Q&A with Robert Reynolds

Know Your Fraudster Q&A with Robert Reynolds

Read more  ➔
This is how banks close the loop with branch guests: Introducing Pinwheel Smart Branch

This is how banks close the loop with branch guests: Introducing Pinwheel Smart Branch

Read more  ➔
Introducing Pinwheel Deposit Switch 2.0, a revolutionary upgrade that maximizes coverage and conversion for every US worker

Introducing Pinwheel Deposit Switch 2.0, a revolutionary upgrade that maximizes coverage and conversion for every US worker

Read more  ➔
Key factors to consider before implementing a payroll connectivity API

Key factors to consider before implementing a payroll connectivity API

Read more  ➔
Enhance credit line management with income data

Enhance credit line management with income data

Read more  ➔
See your customers’ earnings weeks into the future with projected earnings

See your customers’ earnings weeks into the future with projected earnings

Read more  ➔
How to reduce default risk with consumer-permissioned data

How to reduce default risk with consumer-permissioned data

Read more  ➔
Digital lending technologies and trends that are shaping the industry

Digital lending technologies and trends that are shaping the industry

Read more  ➔
4 technologies that improve fraud detection in banking

4 technologies that improve fraud detection in banking

Read more  ➔
Why automated income verification is a must-have feature for lenders

Why automated income verification is a must-have feature for lenders

Read more  ➔
December product release: 10% increase in conversion, enhanced security and access to pay frequency data

December product release: 10% increase in conversion, enhanced security and access to pay frequency data

Read more  ➔
A conversation with our Chief Information Security Officer

A conversation with our Chief Information Security Officer

Read more  ➔
Former CFPB Deputy Director Raj Date Joins Pinwheel as an Advisor

Former CFPB Deputy Director Raj Date Joins Pinwheel as an Advisor

Read more  ➔
Cash flow underwriting: Benefits & how to access cash flow data

Cash flow underwriting: Benefits & how to access cash flow data

Read more  ➔
Why banks need a payroll connectivity API that prioritizes information security

Why banks need a payroll connectivity API that prioritizes information security

Read more  ➔
How alternative credit data can benefit lenders

How alternative credit data can benefit lenders

Read more  ➔
Tech Spotlight: Implementing your first feature flag

Tech Spotlight: Implementing your first feature flag

Read more  ➔
Pinwheel Welcomes New Advisor, Ethan Yeh, to Advance Pinwheel’s Data Science Strategy

Pinwheel Welcomes New Advisor, Ethan Yeh, to Advance Pinwheel’s Data Science Strategy

Read more  ➔
Tech spotlight: Securing access control across internal services

Tech spotlight: Securing access control across internal services

Read more  ➔
The anatomy and potential of payroll data: Transforming complex data into insights

The anatomy and potential of payroll data: Transforming complex data into insights

Read more  ➔
Beyond the credit score: Propelling consumer finance into the future with income data

Beyond the credit score: Propelling consumer finance into the future with income data

Read more  ➔
Ayokunle (Ayo) Omojola joins Pinwheel’s Board of Directors

Ayokunle (Ayo) Omojola joins Pinwheel’s Board of Directors

Read more  ➔
Conquering conversion: Engineering practices developed to help customers

Conquering conversion: Engineering practices developed to help customers

Read more  ➔
Driving Customer Delight: From implementation and beyond

Driving Customer Delight: From implementation and beyond

Read more  ➔
Pinwheel Supports Open Finance Data Security Standard

Pinwheel Supports Open Finance Data Security Standard

Read more  ➔
How we design Pinwheel to solve real customer problems

How we design Pinwheel to solve real customer problems

Read more  ➔
What is consumer-permissioned data and what are its benefits?

What is consumer-permissioned data and what are its benefits?

Read more  ➔
How payroll data connectivity can help financial service providers in tumultuous market conditions

How payroll data connectivity can help financial service providers in tumultuous market conditions

Read more  ➔
Pinwheel now supports document uploads to supplement payroll data

Pinwheel now supports document uploads to supplement payroll data

Read more  ➔
Brian Karimi-Pashaki joins Pinwheel as Partnerships Lead

Brian Karimi-Pashaki joins Pinwheel as Partnerships Lead

Read more  ➔
Optimizing for conversion with smarter employer mappings

Optimizing for conversion with smarter employer mappings

Read more  ➔
What are super apps and how will they impact financial services?

What are super apps and how will they impact financial services?

Read more  ➔
Increase conversions and maximize share of wallet with Pinwheel's new UX update

Increase conversions and maximize share of wallet with Pinwheel's new UX update

Read more  ➔
Pinwheel announces support for taxes

Pinwheel announces support for taxes

Read more  ➔
Ryan Nier Joins Pinwheel as the Company’s first General Counsel

Ryan Nier Joins Pinwheel as the Company’s first General Counsel

Read more  ➔
The future of enabling earned wage access

The future of enabling earned wage access

Read more  ➔
Deliver earned wage access faster with Pinwheel Earnings Stream

Deliver earned wage access faster with Pinwheel Earnings Stream

Read more  ➔
Digital transformation in banking in 2022: What it means, trends & examples

Digital transformation in banking in 2022: What it means, trends & examples

Read more  ➔
June product release: Expanded connectivity to employers, a custom experience with Link API and more

June product release: Expanded connectivity to employers, a custom experience with Link API and more

Read more  ➔
Pinwheelie Spotlight: LaRena Iocco, Software Engineer

Pinwheelie Spotlight: LaRena Iocco, Software Engineer

Read more  ➔
Build fully custom experiences with Pinwheel’s Link API

Build fully custom experiences with Pinwheel’s Link API

Read more  ➔
Pinwheel expands connectivity to 1.5M employers

Pinwheel expands connectivity to 1.5M employers

Read more  ➔
Robert Reynolds joins Pinwheel as Head of Product

Robert Reynolds joins Pinwheel as Head of Product

Read more  ➔
Pinwheel obtains highest security certification in the industry

Pinwheel obtains highest security certification in the industry

Read more  ➔
Lauren Crossett becomes Pinwheel’s first Chief Revenue Officer

Lauren Crossett becomes Pinwheel’s first Chief Revenue Officer

Read more  ➔
Everything you should know about the role of APIs in banking

Everything you should know about the role of APIs in banking

Read more  ➔
Open finance: What is it and how does it impact financial services?

Open finance: What is it and how does it impact financial services?

Read more  ➔
How automated direct deposit switching benefits traditional banks

How automated direct deposit switching benefits traditional banks

Read more  ➔
Pinwheel Secure: Authentication optimized for market-leading conversion

Pinwheel Secure: Authentication optimized for market-leading conversion

Read more  ➔