All geek questions in one place

What is the best practice for API authentication?

I want to create token-based authentication for my web APIs so that third-party applications can access these APIs.

Lack of user interaction, lack of delegation, roles and connected applications are manually managed from the management portal.

With these requirements, what's the best practice for getting a jwt token?

Do I need a protocol like OpenID or OAuth2, or just expose the endpoint that accepts the APIKey and it will return a security token if the APIKey is valid?

+5
source share
3 answers

So, I understand that your requirement is a machine for machine communication. If so, the easiest way is to implement an β€œ OAuth 2.0 client credential credential flow ” (see documentation ).

The above method is only suitable if your data does not contain highly sensitive data.

Another option would be to implement the entire authorization server either using native code or using third-party frameworks, and follow the β€œ OAuth 2.0 Code Authorization Grant Stream ” (see the documentation ).

This option will be expensive, and I recommend it first.

+2
source

First, I want to explain the difference between OAuth and OpenID. User adrianbanks contrasts two wells in this answer . To sum up, OpenID is about authentication - proving who you are. Although OAuth is about authorization - you have access to the functions, data, and your application. Now back to your question.

If you need OAuth or not, you should learn OWIN (Open Web Interface for.NET) Middleware. We are currently using OWIN to implement our open API with the OAuth 2.0 Authorization Server . However, OWIN is not limited to implementing an OAuth authentication server. Definitely let him see if he can fit your needs.

In your case, an OAuth 2.0 implementation might not be necessary; however this is what i recommend. For this problem, this is a good, safe solution. This will not only solve this problem, but also in the future, if you want to allow users to authorize third-party integrations, OAuth - a safer option - will already be implemented.

If you don’t have users using third-party integrations, you can use the API keys. As long as you implement it in a safe way, this is a good option. If this is more than what you are looking for, read this post about using API keys to securely authenticate (and authorize) third-party applications for the ASP.NET Web API Project.

+5
source

I would recommend using a separate authentication server so that your administration, authentication and authorization are stored separately from the Logic / UI.

Good practice is https://github.com/IdentityServer/IdentityServer3 .

+1
source

Source: https://habr.com/ru/post/1263968/

More articles:


All Articles