We have an internal legacy API which needs to be protected to be used on Internet. We decided to use a reverse proxy to provide SSL termination, but now the problem is how to control the access using OAuth tokens.
Right now, to modify the application it's impossible for different reasons I can't explain here. I need something quick and dirty (but secure!) to be able to publish the API to Internet.
I was doing some research and I had this idea: use HAProxy and write a LUA script to check the OAuth token in the header, and give access or not to different users. I'm also considering to use Apache as a reverse proxy and write a module to do the same.
My concerns is about performance and security... Am I taking the best approach? Do you know a better one for this use case?
How about placing an API Gateway in between client applications (= API callers) and your APIs? For example, if you use Custom Authorizer of Amazon API Gateway, you can delegate validation of an OAuth token to an external authorizer and call your API only when the OAuth token is successfully verified. In this architecture, you can protect your API by an OAuth token without modifying the implementation of your API.
Not only Amazon but also some other companies provide API Management / Gateway solutions. For example, Microsoft, CA Technologies, and so on.
FYI: