All geek questions in one place

Secure third-party API calls for a mobile application

I have an API with the following method:

https://api.example.com/services/dosomething

I provide this service to three different mobile applications, each of which has hundreds of users. When a user logs into a mobile application, I need to make a call to my API.

I know that providing each of the three mobile applications with a different API key and performing basic HTTP authentication , since it is not secure, since the API key will be stored on the device without interference by any user, can take it and use it badly.

The OAuth2 approach does not work, because I only have information about my three clients, and not about their hundreds of users.

What is the best approach to protect my API calls on mobile?

+5
source share
1 answer

In your case, your approach with OAuth2 is good: mobile applications (clients) receive a delegation from resource owners (your users) to call protected resources on the resource server (your API).

You only have information about your customers, because OAuth2 is not intended to authenticate your users, but to authorize your clients. Clients are identified with a client identifier. In your case, and if you want to know which client calls your resource server, each client must have a dedicated client identifier. You can also identify it using other information, such as the IP address or user header in the requests it sends.

If you want to know who your users are, you must implement the OpenID Connect extension. This extension runs on top of an OAuth2-based authorization server. User authentication is performed by the authorization server. An ID is issued with user information. The client (or mobile application) should not receive or store user credentials.

There is a great video where both protocols are explained (especially from 4:44 to 11:00).

+5
source

Source: https://habr.com/ru/post/1242843/

More articles:


All Articles