Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

restful api authentication confusion with oauth2

Tags:

I did some investigation about restful api authentication. Most people pointed to Oauth2 for restful api authentication. I looked into some of resouces, especially this link https://developers.google.com/accounts/docs/OAuth2.

It seems to me Oauth2 is for a third party app to access users' data in google/facebook(or other data provider).

Our problem is that we own the data, we don't need to access our client's any third party data and our clients don't have to any third party data. We want to protect our api with some sort of authentication.

For our case what is the convenient technologies for our restful api authentication ? We will expose our api like this

 https://ourdomain.com/api/<endpoint>

Our clients can access a website first to register https://ourdomain.com and they should be able to get clientId and clientKey from our website for accessing apis. Our clients should be able to consume through some sort of authentication

like image 206
wwli Avatar asked Apr 22 '13 19:04

wwli

People also ask

How does OAuth 2.0 work in REST API?

In OAuth 2.0, the following three parties are involved: The user, who possesses data that is accessed through the API and wants to allow the application to access it. The application, which is to access the data through the API on the user's behalf. The API, which controls and enables access to the user's data.

How do I authenticate REST API with OAuth?

OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.

Can OAuth 2.0 be used for authentication?

OAuth 2.0 is not an authentication protocol. Much of the confusion comes from the fact that OAuth is used inside of authentication protocols, and developers will see the OAuth components and interact with the OAuth flow and assume that by simply using OAuth, they can accomplish user authentication.

1 Answers

In oAuth 2.0, there are several types of grant types. A grant type is just a way to exchange some sort of credentials for an access token. Typically oAuth refers to 3rd party usage with a Authorization Code Grant. This means redirecting the user to the resource owner's website for authentication, which will return back an Authorization Code.

This clearly doesn't make sense for 1st party oAuth use, since you ARE the resource owner. oAuth 2.0 has considered this and included the Resource Owner Password Credentials Grant for this purpose. In this case, you can exchange a username and password for an access token at the first party level.

See https://www.rfc-editor.org/rfc/rfc6749#section-4.3 for more details.

like image 121
BeniRose Avatar answered Oct 06 '22 01:10

BeniRose
Sign in to Comment

Related questions

Reference documents with ObjectId when saving in mongoose
how do I get the subtrees of dendrogram made by scipy.cluster.hierarchy
What is the difference between using IEqualityComparer and Equals/GethashCode Override?
How to test or exclude private unreachable code from code coverage
How can we listen for errors that do not trigger window.onerror?
Page.Title vs Title tag in asp.net
Get last day of Month
Passing a non-copyable closure object to std::function parameter [duplicate]
What is difference between Pre-Signed Url and Signed Url?
Eclipse won't compile/run java file
Observable behavior and undefined behavior -- What happens if I don't call a destructor?
Detect when fragment becomes visible [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!