Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

REST API multi-tenant security

I have a question about RESTful APIs and security in a multi-tenant environment.

Imagine you have an endpoint: api/branches/:branchId/accounts/:accountId

Authentication is done through Bearer Tokens (oauth2). Each token includes a set of claims associated to the invoking user. A branchId claim is included in the token, and each user belongs to a single branch.

The security restrictions are the following:

  1. The branchId of the GET request should match the one stored on the token claim.
  2. accountId should be a valid account inside the branch identified by branchId.

The question is: which of the following solutions is correct?

  1. Maintain the endpoint: api/branches/:branchId/accounts/:accountId. And do the required security checks.
  2. Change the endpoint to: api/accounts/:accountId, obtain the branchId from the token, and then do the remaining security checks.

The application is meant to be multi-tenant. Each branch is a tenant, and each user may only access the information associated with its single branch. Thanks!

like image 408
Jose Ch. Avatar asked Oct 08 '14 15:10

Jose Ch.


1 Answers

I needed to make a decision fast, so I will be using solution 1. If anybody has an argument against or in favor please join the conversation.

Arguments in favor:

  1. I totally agree with this answer: https://stackoverflow.com/a/13764490/2795999, using the full URL allows you to more efficiently decide which data store to connect with, and distribute load accordingly.
  2. In addition you can easily implement caching, and logging because the full url is descriptive enough.
  3. Independency of security and API. Today I am using OAuth2 but perhaps tomorrow I can send the request signature, and because the URL has all the information to fulfill the request it will work.

Arguments against:

  1. Information redundancy: the branchId is on the URL and encrypted on the token.
  2. A little more effort to implement.
like image 176
Jose Ch. Avatar answered Oct 10 '22 13:10

Jose Ch.