Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Single sign-on support for REST APIs

Tags:

rest

oauth

oauth-2.0

single-sign-on

saml-2.0

I am trying to find the best way to solve the following problem: our application is SaaS, and it supports SAML for web login. The application also exposes REST APIs that are supposed to be used in automated and unattended processes, meaning there is no interactive user to type credentials. We need to allow developers to programmatically authenticate the unattended process against the relevant IdP (which is already defined, because the same credentials used for API access can also be used to access the web application).

The flow I imagine is as follows: the program authenticates using a dedicated API, gets a token and uses the token for the next calls.

Most of the answers I find when searching for best ways to secure REST APIs suggest oAuth, which normally requires an interactive user, because they discuss an interactive application tryign to access REST APIs in other system on behalf of the user, who is there to type in the password. Is oAuth the answer for my challenge as well? If so, what is the flow?

Thanks!

like image 536
Moshe B. Avatar asked Dec 28 '14 14:12

Moshe B.

1 Answers

Indeed OAuth 2.0 can be used for this use case because it allows so-called clients (i.e. your unattended processes) to obtain an access token granted by developers and use that token against your APIs.

A typical flow to use here is the code flow: you would run an Authorization Server that issues tokens to clients if consented to by developers. Developers would login to the Authorization Server using SAML Web SSO.

Note that it does not require an active user at the time of accessing the REST API, but it would require one at the time of token issuance. I believe that is what you are actually looking for. If not, there are other flows that can be leveraged that don't require an active user at all, but I believe they are not suitable for this particular use case; after all you want the clients to operate on behalf of the developers.

Your Authorization Server may also issue a refresh token to the client in addition to an access token so that upon expiry of the old access token, your client can get a new access token from the Authorization Server using the refresh token, without having to (interactively) involve the developer again.

like image 109
Hans Z. Avatar answered Sep 28 '22 00:09

Hans Z.
Sign in to Comment

Related questions

Cache acces token using Spring Oauth2
Official way to implements PATCH method in REST with partial update
Tomcat 7 , Spring rest template application producing err_invalid_chunked_encoding in browser
Limiting access to a WCF REST (webHttpBinding) Service using the ASP.NET Membership Provider?
Should a given URI in a RESTful architecture always return the same response?
JAX-RS Encoding
Unit-testing Jersey with Mocks
Mapping multiple resources from one ObjectManager in RestKit
Looking for RESTful approach to update multiple resources with the same field set
server-to-server REST API security
standard way to represent a foreign key relation in a json rest web service
magento access denied
Symfony2 website and RESTful API
JAX-RS, how to prevent user A from accessing user B's restful resource
API subdomain for Heroku app, is it possible?
HTTP 405 -- web server compliance
Django REST Framework PATCH fails on required fields
Why are authentication tokens considered stateless and sessions not?
Restful Web service Authentication and Authorization with Apache Shiro
Multiple REST Requests in parallel with FireMonkey

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!