Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Architecturing API keys and access tokens

Tags:

rest

oauth

api

I have a question regarding how I should architecture a REST API using access token and API keys.

I have an API that needs authentication. I want to enable two use cases:

  1. The user logs into the interface using OAuth2 (password grant), and is granted a temporary access token. This token is used to authenticate the user. Therefore, the UI, that itself using the API, can fetch data and display it.

  2. I also want the user to have an API key to do the same calls, but in its application. Obviously, contrary to the access token, I want the API key to be long lived. Also, contrary to the access token that is tied to a given user (if we introduce a team mechanism, each user will have different access token, although they access the same resources), the API key should be unique to the project.

While similar, I'm not sure about how should I architecture that. I think that, internally, both API keys and access tokens should be stored in the same table, but API keys having no expiration time. Am I right?

One thing I'm not sure also is the concept of client. It seems that in the spec, the client is more like an external application. However may I actually use this concept here?

For instance, each "project" is actually a different client (although the client here is the same application, not an application created by a third-party developer).

Therefore, if user A creates an account on the system, a client A will be automatically created, with an access token tied to the client A, with a long-lived access token (aka API key). This can be used to perform API calls directly on his code, for instance.

Then, if user A logs into the dashboard, a temporary access token will be created, but this time with no application, but tied to the user, with a short life.

Does this sound sane? Have anyone already implemented such a thing?

Thanks!

like image 718
Michael Gallego Avatar asked Apr 16 '15 21:04

Michael Gallego

People also ask

Is API key same as access token?

The main distinction between these two is: API keys identify the calling project — the application or site — making the call to an API. Authentication tokens identify a user — the person — that is using the app or site.

What is an API key or token?

An application programming interface (API) key is a code used to identify and authenticate an application or user. API keys are available through platforms, such as a white-labeled internal marketplace. They also act as a unique identifier and provide a secret token for authentication purposes.

What is API access token?

What is an Access Token? A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) . They inform the API that the bearer of the token has been authorized: to access a particular service or services.

What is the difference between API key and bearer token?

Typically, the API key provides only application-level security, giving every user the same access; whereas the JWT token provides user-level access. A JWT token can contain information like its expiration date and a user identifier to determine the rights of the user across the entire ecosystem.

1 Answers

I think you should not consider the "API keys" a substitute of the access token.

You will have to use an access token anyway to bear the authentication between requests, so what you're actually modelling with your "API keys" is not a replacement of the usual bearer token, but rather a different client that provides other grant types to request a token with.

The flow I'd personally implement is the following:

  1. The user authenticates with the password grant type with a common client for every user (i.e. your "web app" client, which is public, i.e. it doesn't have a client_secret).
  2. The user can then create its own client. As per OAuth2 specs, these are not public, so they will consists of a client_id and a client_secret. These are what you call "API keys".
  3. A user will then be able to request an access token via their client, with any given grant type you want to support (e.g. direct client credentials, authorization code, implicit, third parties, etc.). You will have to stress quite a bit about the due safety practices on how to handle the client credentials.

Obviously, you will have to implement your OAuth2 server in such a way that clients can belong specific users, and have different acceptable grant types (i.e. you may not want to allow the password grant usage with a user client, while you may want to disallow any grant type other than the password one for your web app client).

You will then be able to define tokens TTLs, or lack thereof, on a per client or per grant type basis (e.g. access token requested via password grant, only usable by web app client, will have a short TTL, while authorization code grant will provide long lived tokens).
I would advise against complete lack of TTL, though, and rather use the refresh_token grant type to renew expired access tokens.

Furthermore, you'll probably have to define an authorization system of some some sort (ACL, RBAC, whatever), to define which client can do what. This means each access token should contain a reference to the client used for its creation.

So, to sum it up, here are the relations:

User has a Client.
Client has a User.
Client has many Token.
Token has a Client.
Token has a User.

YMMV on bidirectionals.

You should be able to implement everything I described with the most common OAuth2 servers implementations of any given platform.

TL;DR: "API keys" are actually OAuth2 clients.

like image 66
Stefano Torresi Avatar answered Sep 21 '22 06:09

Stefano Torresi
Sign in to Comment

Related questions

Interacting with a REST API from Clojure
Generate Swagger Document for existing NodeJS server
Refresh Token Jsonwebtoken
What does the term "blocking" mean in programming?
How to deploy a docker container on a remote ubuntu server?
LinkedIn API - get information about my ALL Connections
Netsuite woes: Is there decent reference anywhere? [closed]
Google static map API getting 403 forbidden when loading from img tag
High charts remove dots from the line graph [duplicate]
Post a json body with swagger
Intent.setData vs Intent.putExtra
Flask POST request is causing server to crash
How to get the colour of a pixel at X,Y using c#?
How to intercept node.js express request
Implement a REST API in a Grails app
RESTful API - Correct behaviour when spurious/not requested parameters are passed in the request
render :json does not accept options
Slim Framework always return 404 Error
Instagram API doesn’t find any liked posts for sandbox users
Java USB library [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!