Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Web API authentication and authorization (OAuth)

Consider the following (common) scenario. I will first try to specify how I understand a (nice) Web API should look like, using OAuth. Please do correct me if I got any of the flows wrong.

My API: the center of attention, all clients use this.

My Web App: Uses the API just like any other client would.

My Mobile App: Also uses the API, the same exact way as the web app. Users should be able to authenticate without opening a browser.

3rd party Web App: Also uses the API - however, the user/resource owner must grant permission for the app to do something. They do this by redirecting to my site (or opening a popup to it), logging the user in if necessary, and prompting the user for access.

3rd party Mobile App: Same requirements as the 3rd party web app.


The Question(s)

  • Should the API handle authentication and authorization?
  • How does the API know who (the resource owner that is using the client application), is using the API?
  • When a user is using my official clients, they should obviously not have to grant any permissions - my clients should have all permissions. How would I distinguish between my official clients, and 3rd party clients when calling the API?

Here is what I understand, and would do so far. This is where I really need help - getting this done right.

Official Web app

- Client attempts to `GET /api/tasks/".
- API says "who are you? (HTTP 401)
- Official web app redirects to login form.
> Bob enters his credentials.
- .. now what? Get an authentication token? Cookie?
  • Since the web app is just a consumer of my API, how would I manage the logged-in state? Should the web app do that?
  • Should the web app have direct access to the users database instead of verifying credentials against the API?

I am using .NET (C#) primarily, but I'd love an approach that is applicable to, say, Node JS based API's as well.

How would you go about this? Especially the client flows are a problem for me. The reason I ask, is that I have read that you should not roll your own security solution unless absolutely necessary, so if there are any standard-ish guidelines for this, do let me know. :)

like image 212
Jeff Avatar asked Oct 21 '13 17:10

Jeff


People also ask

What is OAuth authentication in Web API?

Oracle Integration REST APIs as well as REST endpoints exposed in integrations are protected using the OAuth token-based authentication. OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource.

How OAuth provides authentication and authorization for an API?

Once the user requests access to the data or resources of the client website, he or she is forwarded to the login procedure of the primary website to provide credentials. Upon successful authentication, an authorization token is sent from that primary website to the requester as an acknowledgment.

Is OAuth authentication or authorization?

Principles of OAuth2.OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data. OAuth 2.0 uses Access Tokens.

What is difference between OAuth and JWT?

JWT token vs oauth token: JWT defines a token format while OAuth deals in defining authorization protocols. JWT is simple and easy to learn from the initial stage while OAuth is complex. OAuth uses both client-side and server-side storage while JWT must use only client-side storage. JWT has limited scope and use cases.


1 Answers

Take a look at the new web API 2 oAuth stuff.

Basically fire up a new web API project and ensure you select to change the authentication.

Then, it's a simple case of calling the register controller. This then creates a token for you which can then be sent in the header of each request for that user.

Check out the API calls using fiddler and create some mock up accounts.

like image 195
CSharpNewBee Avatar answered Oct 03 '22 02:10

CSharpNewBee