Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Questions About Consuming Your Own API with OAuth

Tags:

rest

authentication

oauth

api

restful-architecture

I'm building a RESTful API for a project I'm working on and I'd like to make the main application consume the API because:

  1. It will result in having one set of code to maintain
  2. Should we decide to expose the API for 3rd party devs it will already be done
  3. It opens up the possibility to make mobile applications that consume it
  4. I really want to learn how to do it

The API will be hosted on a subdomain https://api.example.com and the main web application will be hosted at the root domain https://example.com.

Conceptually I understand how everything works, but my main question is how the authentication flow will change if, at all. Ordinarily 3rd party apps would:

  1. Obtain a request token from https://api.example.com/request_token
  2. Redirect the user to authenticate on https://api.authenticate.com/authorize
  3. Get redirected back to the 3rd party application
  4. Obtain an access token from https://api.example.com/access_token

Since I control both domains, can I do something similar to:

  1. Obtain a request token when the user lands on the login screen at https://www.example.com
  2. The user authenticates using a form on https://www.example.com that calls the same code as https://api.example.com/authorize
  3. If the credentials are valid, the request token is swapped for the access token
  4. Access token is saved in the session and expires when the user logs out like it normally would

Step 3 feels like it's wrong since there will be duplicate code, but wouldn't it open me up to XSS attacks is the login form on https://www.example.com sent the data to https://api.example.com since they are technically different domains?

Am I overcomplicating this?

like image 475
Steve Avatar asked Dec 15 '11 22:12

Steve

People also ask

Do I need OAuth for my API?

For your question: If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.

What's a benefit of using OAuth instead of your own basic authentication?

It enables apps to obtain limited access (scopes) to a user's data without giving away a user's password. It decouples authentication from authorization and supports multiple use cases addressing different device capabilities. It supports server-to-server apps, browser-based apps, mobile/native apps, and consoles/TVs.

What is one benefit that OAuth provides over an API key approach?

OAuth is the answer to accessing user data with APIs. Unlike with API keys, OAuth does not require a user to go spelunking through a developer portal. In fact, in the best cases, users simply click a button to allow an application to access their accounts.

How does OAuth work with API?

OAuth2 is the preferred method of authenticating access to the API. OAuth2 allows authorization without the external application getting the user's email address or password. Instead, the external application gets a token that authorizes access to the user's account.

1 Answers

I have come across the same issue and solved it like this.

1 For third party apps, using my API, they have to authenticate via OAuth on all requests.

2 For my own third party clients, (mobile, AIR etc) - they use OAuth, with the difference that I allow these to send username and password directly in the authorization step (so I can make a native login dialogue). This is provided that your API is over SSL/HTTPS.

3 For my web application, I use cookie authentication to access the APIs. I.e after having logged in, the user could simply call API:urls and get JSON/XML back. Nice for quick exploring the APIs also (although a real API Console like APIGee does a better job there).

like image 170
Jon Nylander Avatar answered Oct 02 '22 14:10

Jon Nylander
Sign in to Comment

Related questions

Generate Swagger Document for existing NodeJS server
Refresh Token Jsonwebtoken
What does the term "blocking" mean in programming?
How to deploy a docker container on a remote ubuntu server?
LinkedIn API - get information about my ALL Connections
Netsuite woes: Is there decent reference anywhere? [closed]
Google static map API getting 403 forbidden when loading from img tag
High charts remove dots from the line graph [duplicate]
Post a json body with swagger
Intent.setData vs Intent.putExtra
Flask POST request is causing server to crash
How to get the colour of a pixel at X,Y using c#?
How to intercept node.js express request
Implement a REST API in a Grails app
RESTful API - Correct behaviour when spurious/not requested parameters are passed in the request
render :json does not accept options
Slim Framework always return 404 Error
Instagram API doesn’t find any liked posts for sandbox users
Java USB library [closed]
Architecturing API keys and access tokens

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!