All geek questions in one place

Finding Authentication / Impersonation Strategies for RESTful APIs

I have a requirement to enable impersonation ("act like") in my API. Thus, a user with the appropriate permission can use the API as another user. I wonder if there are certain strategies in this space?

I can create an endpoint to start and complete the impersonation. The start of an impersonation may include getting the user and his permission and loading them into memory for the current request, quite simply. What about subsequent queries? Is it a bad practice to add an HTTP header meaning "Impersonated-User"? If this header exists, use it to authorize subsequent requests? How about using a cookie with this UserId? Or more information?

Is there any added benefit (assuming .NET impl) to assign Thread.CurrentPrincipal impersonated users? The current resolution and implementation of the role is ordinary, essentially using a bit array (although this is in the table for future changes).

+4
source share
1 answer

HTTP does not have built-in credentials / delegate impersonation support, so a combination of HTTP Basic Authentication with a custom header indicating which other client user is trying to act as it would be good.

I would not contaminate your API with the idea of ​​“beginning and ending impersonation”. This implies knowing the session state that must be maintained between API calls, and this will make server-side management more difficult.

I would simply ask the client to transfer all the necessary information (their creditors and the personifying principle) with each call and check them every time against the called resource.

+4
source

Source: https://habr.com/ru/post/1437724/

More articles:


All Articles