Announcement Announcement Module
Collapse
No announcement yet.
Secure REST API with OAuth 2.0 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure REST API with OAuth 2.0

    Hello every body,

    I try to secure some REST APIs (definitely stateless) on my server and let other trusted webapplications to use them.
    As I said webapplication are trusted, it means I need to omit authentication steps from oauth sequence diagram.

    Is that possible to benefit from Oauth 2.0 at all?
    All that I want is to care about generating and handling access token.

    kindest regards
    Sara

  • #2
    The benefit of OAuth2 really comes when your REST clients act on behalf of a user. If there is no user in the process it might not be worth it. If you have a user then you can benefit from OAuth2, but I'm not sure I understand the question beyond that.
    Last edited by Dave Syer; Nov 8th, 2012, 07:12 AM.

    Comment


    • #3
      Yes, you are right. However, I find OAuth 2.0 the most suitable protocol for creating and managing tokens. All what I need to be sure about is, wether it is possible to setup oauth for anonymous user.

      Comment


      • #4
        If you have machine-machine interactions there is no user, so there is no need for anonymous access.

        Comment


        • #5
          Sara:

          I'm not sure what you mean by a trusted application and not requiring authentication. Is this a strictly internal arrangement?

          My application makes use of OAuth 2 in order to authenticate tenant applications, which then obtain bearer tokens to provide to user agents accessing their site. With that token, the user agent (using JavaScript/JSONP, Flash/XML etc.) invokes our RESTful APIs and provides the token. We make this easy by providing 'widgets' which the tenant embed in their site pages.

          Our application has no end user data, just our data, and some tenant specific data. Rather than an end user authorizing an application to access personal data/functionality on their behalf, we have a tenant authorizing a user agent (browser, mobile) to access our APIs on the tenant's behalf. This authorization allows us to track the usage for a given tenant, as well as return results based on our content and the tenant's content, and not some other tenant's content.

          There are additional measures in place to limit what can be done with a given bearer token (in terms of amount of API usage), anti-hijacking, and blacklisting client addresses that appear to be abusive or bots of some kind scraping content.

          Making use of OAuth 2 for this is nice because it is a well understood standard, and we have nice implementations such as Spring Security OAuth available. A big issue for us is the ability for the user agent to directly invoke our APIs (JSONP today, and one day CORS). This needs to be done without the tenant exposing any credentials within the user agent. So, the bearer token, with limits applied, works well for this.

          Our tenant applications also invoke some of our APIs for updating and otherwise managing their own content within our application. Since this does not involve some third party user agent, we could have used HTTP Basic authentication over HTTPS for this, but instead, these APIs are also accessed via OAuth 2. Using a different set of credentials, the tenant application will acquire a token which is then used to invoke tenant related, rather than user related, APIS.

          This second scenario is for us the machine-to-machine (server-to-server) situation which could call into question the need for OAuth (vs HTTP basic authentication), but the user agent interaction (browsers and mobile apps run on machines don't they? ) is where OAuth 2 really shines for us; a standard vs. some custom token based system of our creation, no exposure of tenant credentials, code I don't have to write/debug/test, and very nice support on this forum.

          Anyway, if you do not have third party involvement, and your applications are 'trusted', what are your motivations for requiring tokens?

          Cheers,

          Jeff

          Comment

          Working...
          X