| |
|
NORA-1: External |
Browser |
| |
|
NORA-1: External |
API client |
| |
|
API client |
API endpoint A1 |
| |
|
Browser |
API client |
| |
|
NORA-4: Back Office |
Domain B |
| |
|
NORA-4: Back Office |
BFF layer |
| |
|
NORA-4: Back Office |
Domain A |
| |
|
NORA-4: Back Office |
STS-03: Identity provider service |
| |
|
BFF layer |
API client |
| |
|
API client |
API endpoint A1 |
| |
|
API client |
API endpoint B1 |
| |
|
API client |
STS-03: Identity provider service |
| |
|
Domain B |
API endpoint B2 |
| |
|
Domain B |
API endpoint B1 |
| |
|
API endpoint B1 |
API endpoint B2 |
| |
|
Domain A |
API endpoint A1 |
| |
|
Domain A |
API endpoint A2 |
| |
|
API endpoint A1 |
API endpoint A2 |
| |
|
API endpoint A2 |
API endpoint B1 |
| |
|
AC-12: Session Termination |
CAPEC-125: Flooding |
| |
|
SI-3: Malicious Code Protection |
SP-TE-29: Web application attacks or code injection attack |
| |
|
SC-5: Denial-of-service Protection |
CAPEC-125: Flooding |
| |
|
AU-2: Event Logging |
CAPEC-125: Flooding |
| |
|
AC-3: Access Enforcement |
SP-TE-36: Unauthorized changes or manipulation of information data records |
| |
|
SI-10: Information Input Validation |
SP-TE-29: Web application attacks or code injection attack |
| |
|
SC-6: Resource Availability |
CAPEC-125: Flooding |
| |
|
SC-13: Cryptographic Protection |
SP-TE-23: Adversary in the middle attack or network traffic modification |
![1. API orchestration security pattern [Threat Model]](../images/id-2da5b3e17b8340bf8bb13467a1b4defd.png)