All geek questions in one place

A universal way to authenticate clients and protect RESTful api

I rummaged through stackoverflow / security.stackexchange streams and did not receive specific answers for providing a universal way for clients to safely consume RESTful services that I create through asp.net web api. When searching for this answer, I see that “authorization” and “authentication” are used interchangeably, so I want to point out that I just want to check the identification and legitimacy of the requests. So, at the moment I am not authenticating users.

The Amazon model is apparently the one referenced when it “collapses its own,” but in this context, I understand that Amazon has provided “documents” for each of them, so there’s not much rethinking here. This post Designing Safe REST (Web) APIs without OAuth was very helpful.

I'm going to:

  • The application must require SSL requests, so the GET at http://myapi.com/users/1 "must be rejected with an incorrect response to the request, allowing the developer to know https is not required.
  • The key / secret of the application must be provided by the client to verify who they are.
  • SSL + certificates are a good idea.
  • Require nonce value
  • When a client registers their application, you must enter the URL and IP address so that they send requests for verification after receiving the request. I am worried about the portability of an external application, that is, the application is being transferred to a new server with a different IP address, and now it does not work.

I have few problems with 2, which perhaps my mind cannot turn around. Firstly, is this not a secret application that should be kept secret? So, if a javascript client makes a request, does this not violate the security of the application key? Why is your application secret when I can check the request identifier using a combination of checking the application key, nonce value and server ip? I understand that a server-side language such as php, ruby ​​or C # .net will not reveal the secret, but I would like it to be universally safe for JS and compiled languages.

Finally, Facebook has a developer security checklist that tells developers: “Never add your app secret to client or decompiled code,” which will offer me encrypted web.config or the like. This solution will not work in order to expose the REST service to any user using javascript.

Other topics I combed:
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
https://developers.facebook.com/docs/facebook-login/security/
Recommendations for protecting a REST API / web service
REST authentication scheme security
Basic HTTP authentication instead of TLS client certification
RESTful Authentication

+5
source share
1 answer

How I protect my application with OpenID Connect. For example, the client you are talking about in # 2 will be an RP (resource provider), and an authentication system such as Google will be your OP (OpenID provider)

The key / secret of the application must be provided by the client to verify who they are.

will actually be your application, and your client secret will not leave your server any bigger than your /etc/passwd . This secret is what RP uses to talk to the OP to get data.

Flow in a nutshell

  • A user connects to your API endpoint, for example. /restapi
  • The endpoint redirects the user to Google where you registered your application.
  • The user subscribes to the OP (for example, Google) and receives the code to go to the RP
  • RP will go into OP to get openid information, for example. E-mail address
  • RP will use this public information to find its own authorization tables.
  • Once the RP checks the authorization for the RP user, you will provide the rest of the information.
0
source

Source: https://habr.com/ru/post/1205884/

More articles:


All Articles