All geek questions in one place

API Authentication Using the JavaScript SDK

I am creating a JavaScript SDK for our API. The API currently requires (2-legged) OAuth authentication. Obviously, this is not suitable for the JS SDK, since the key and secret are on a simple site (in the JS code).

Facebook only requires your application ID when you start your JS SDK, so I would like to implement something similar (or with the same simplicity). When a developer requests a key, we need an application domain. I was thinking about finding the IP address of the submitted domain (for example, myclientapp.com has 192.168.0.0 IP). And then authentication of the JavaScript requests by verifying the IP address of the remote hosts.

Is this the best / easiest way to do this?

UPDATE: because Rup indicated that the remote IP address will be the client and therefore will not match the IP address of the applications. So that. Therefore, to repeat, I'm looking for a solution that will allow me to apply some form of authentication in my JavaScript-sdk for my API, which cannot be faked by someone else (trying to be someone in an elses application).

Thanks,

Gavin

+4
source share
1 answer

Authenticate the user.

Have the (declared but unreliable) application identifier passed to your init() , jsonp in your domain, or either:

  • Returns the code valid for executing API requests if the user is registered * and has already allowed the application.
  • Follow the pop-up window on your site (or redirect or something else) to log in (if necessary) and authorize the application.

You will have control over the user interface during authentication, and you can perform some human verification of the application identifier (show the claimed logo, name, etc.).

This suggests that you even have a concept of users, like Facebook does.

* Check cookies, not all browsers accept them in response to ajax requests; but all browsers will send them.

+1
source

Source: https://habr.com/ru/post/1347108/

More articles:


All Articles