Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth design for API without users permission

Tags:

oauth

api

I am developing an API that will be used by users of my customers. Here is what the flow will look like:

  1. User of my cloud based service creates an API key.
  2. User embeds the API key into their own custom applications.
  3. User deploys the application to their own end users.
  4. The application talks to our API.

I am looking for advice on how to secure this API. I see a few issues:

  1. API key has to be embedded into the users application and is therefore vulnerable to being stolen and abused.
  2. Once an API key is compromised, it can easily be disabled, but how will my users update their applications to use a new API key short of having to rebuild the application and redeploy.

Does anyone have any ideas on how to design this?

like image 762
Eric J. Smith Avatar asked Jul 30 '10 05:07

Eric J. Smith

People also ask

How can I secure my API without authentication?

Encryption — Having encryption enabled on the API and using https using TLS secures the channel as well as the information sent. Rate limiting and throttling — Limiting the number of requests coming into an API helps prevent abuse. Throttling enables the availability of the service for legitimate consumers.

Do I need OAuth for my API?

If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.

Which of these is the most secure way of authenticating an API?

Basic authentication is an HTTP-based authentication approach and is the simplest way to secure REST APIs. It uses a Base64 format to encode usernames and passwords, both of which are stored in the HTTP header.

1 Answers

I may be mistaken but maybe you could have your customers' users talk to your customers' APIs instead. Basically, your customers would keep their secret key on their servers, and not embed them in the clients they give their users, so it couldn't be hijecked (unless their server was compromised of course). Then the users would talk to your API through your customers' APIs.

It would be slower and need more work on the part of your customers, but also safer.

like image 168
Louis Chatriot Avatar answered Sep 30 '22 13:09

Louis Chatriot
Sign in to Comment

Related questions

php JSON_encode not working
How to know which controller method will be called from Web API Authorization filter
Java Wikitext Parser [closed]
Navigation Drawer Android API specific Layout Attribute
How to get all product id from Shopify Python API
difference between API and DLL
How to get the char data type from mysql using resultset
Set windowTranslucentStatus=true when android lollipop or higher
Where is Blizzards official World of Warcraft API?
Importing project gave Unable to resolve target 'android-7'
Send file with postman to Laravel API
Where is documentation on the embedding API for the Ruby interpreter? [closed]
How to use an api key in python with google translation api

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!