Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Anonymous Access to a REST API?

Tags:

rest

authentication

authorization

api-design

rate-limiting

REST APIs are often accessed with an API token in the Authorization header of requests. If users have an account, they can simply be provided with a token that is associated with their account. Rate limiting can then be applied on this basis.

However, there may be cases where a REST API needs to be accessed by users who do not have an account. Imagine, for instance, a public news website, the articles of which should be available to read to users with and without accounts. In such cases, how should the REST API be accessed, and rate limiting be applied?

My immediate thought was that anonymous clients could access a resource like POST /api/register/anonymous and be granted an API token intended for anonymous users with limited permissions. The resource itself could be rate limited on the basis of an IP address. However, this doubtless has its limitations, such as the unreliability of IP addresses.

Any thoughts on this matter would be much appreciated.

like image 276
Chris Talman Avatar asked Apr 30 '17 10:04

Chris Talman

People also ask

How do I allow anonymous access?

Click to highlight the web application whose permission policy that you want to manage. In the Security group of the ribbon, click Authentication Providers. Click the zone where you want to enable anonymous access. Ensure that the Enable anonymous access check box is selected, and click OK.

How do I pass a client ID and secret in REST API?

Navigate to the Security section. In the Security section, select Client secret (API Key), in addition to Client ID (API Key) which should already be selected by default. to save your changes.

1 Answers

I'd love to be proven wrong, but I don't see how you can effectively rate-limit anonymous access. If you provide an anonymous token, an attacker can just request a new one when the old one hits the limit. If you limit by IP address, they can spoof. If you're just looking to stop random internet users, either or both are fine. If you're concerned about a dedicated attacker, those are just speed bumps. Adding a CAPTCHA when requesting the anonymous access token would also reduce the attack surface.

like image 109
Eric Stein Avatar answered Oct 13 '22 00:10

Eric Stein
Sign in to Comment

Related questions

Inheritance and the JSON formatter of ASP.NET Web API
REST client in C++
HTTP Response Header - Application Version
A good way to structure AngularJS client code with Play 2.1 as backend
Getting JSON response as part of Rest call in Java
Basic dependency injection with jersey from business layer
Web Api 2 RESTFUL Image Upload
Send multipart file via RestTemplate
JSON-LD+Hydra link discovery
Change the json DateTime serialization in WCF 4.0 REST Service
jersey ws 2.0 @suspended AsyncResponse, what does it do?
Compound query for Parse.com using REST API
Testing Camel REST DSL Consumer Template
Getting an IP Address through Jenkins REST API?
How to distinguish query parameters from path parameters
How to remove escape characters when JSON is added to model in spring rest controller
Github API Auth not working with adding a comment on a pull request
CORS headers on OPTIONS request with Jersey
How to fetch user and page/company posts from linkedin
API Design: Caching “partial” nested objects

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!