Menu
I am building my own API which is being used by:
1) Android App 2) Desktop Application
One of my urls is this: http://api.chatapp.info/order_api/files/getbeers.php from which my users get data from my database through JSON. I was thinking lately to create authentication with an API Key.
Any ideas on how to do it? Or do i have to do something like http://api.chatapp.info/order_api/files/getbeers.php?api_key= and then compare the GET method with some key stored in my database?
Any ideas?
498
API keys are generally not considered secure; they are typically accessible to clients, making it easy for someone to steal an API key. Once the key is stolen, it has no expiration, so it may be used indefinitely, unless the project owner revokes or regenerates the key.
HMAC Authentication is common for securing public APIs whereas Digital Signature is suitable for server-to-server two way communication. OAuth on the other hand is useful when you need to restrict parts of your API to authenticated users only.
as @mike mentioned, the OAuth's are complex API, and more importantly require a third service endpoint running somewhere to provide the authentication/authorization for access.
One think you definitely don't want to do is include the API key in the URL. That's very easily replayed and/or spoofed and identified by proxies and captured in log files. A better solution is to include the API key as an additional HTTP header in your request, and look for that specific value in your API endpoint.
For a simple use case like you're suggesting, you may find it worthwhile to authenticate the API call with a key that you keep as a shared secret between your Android app and the API endpoint. If you take this route, it's not easily changable, and if compromised means a real PITA to get a new key enabled and inplace.
If you use a "shared secret", then I recommend making it relatively easy (or at least having some UI) for the user's to update that key in case it's compromised. I'm presuming you can update your web service fairly easily. This process isn't as secure as OAuth or OAuth2, but is definitely simpler and faster to implement, while still providing a reasonable level of "security" (where security in this case means "you're allowed to access this API").
193
OAuth is a complicated protocol and would be better learned by Googling and reading the documentation, but this is probably a good option to secure your API endpoints.
In short, OAuth is a way for a user to gain access to your API by proving they are allowed access and then by using a secure "access token" that you provide.
The client requests an access token from the API server by passing an "api-key" and some sort of "secret key". These are provided to your API user when they register to use your API.
If the credentials passed to the API server from the client are correct, then the API server responds with an "access token". This access token is good for a certain amount of time and should be sent with all subsequent requests to prove that the client was granted access to use the API.
Client makes an API request for data from your API server and must include the "access token". If the "access token" is included and is still valid (i.e. has not expired) then you can respond with the data they requested.
Here are some links to resources to help you learn how to implement OAuth in your API.
OAuth Docs
http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/ http://www.devx.com/webdev/create-your-own-rest-api-using-oauth-authentication.html
See this link for a comparison of OAuth 1.0 and OAuth 2.0 to determine which is better to use in your case.
24
If you need to authenticate user, then I would go with Oauth. If not then with adding encrypted checksum of request parameters to custom request header.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
