All geek questions in one place

How much dog food should I eat? - Internal and external RestAPI & Oauth2

TL DR - skip the section marked Problem , although some context may be useful.

Some background

Thus, I etch the network, looking for answers to some questions that I have about getting our internal API from the inside and open it for developers to use. Our API is already in production and is currently protected, if required, using standard sessions.

Now I am convinced that the dog eats its own api - a great idea, so we can skip this part. My question is very important in order to make internal and make it safe external, enter OAuth2.

On the front side, we are an angular.js application distributed across several sections of the site, I think it is important to emphasize that it is not a one-page application. On the backend, we have django, and the rest of the api are built using the django-rest-framework. I don't think the backend details are really important, but what is definitely worth noting is django, which displays some of these pages. This means that in some cases, angular passes the data forward, rather than requesting everything from the api. It also helps us make some sections of the site more SEO friendly. After the page has been displayed and all the source data has been transferred to angular, all this is angular.js -> api

The last thing to mention before I really get to the courage of the question is that the api currently has some public endpoints, content that, as the front panel is publicly available, is by definition publicly available from the api, although this, probably we want to change.

Some arguments

I read the OAuth2 specification (almost) from start to finish several times, I read every article I could find on the Internet, I even bought a book on this subject, and for me there is only one part, one important example that would help me venture the implementation replacing our current authentication on our OAuth web platform.

If we want to make our API available to third parties, OAuth2 seems to be the only sound choice at this time. Dog food api will only improve it. Thus, we ourselves remain using Accessing Access tokens. This is where I canโ€™t make a decision.

We have already begun tearing apart the API from the main Django api (now written in a flask), so adding oauth to the api will be a pretty natural step. We obviously cannot give angular keys, so what have we left?

Problem

Can we replace our Auth based on an OAuth2 session. Currently, our internal api is being verified using sessions. If we make the API available to third parties, how can we implement OAuth for the main, web platform?

we default https

  • Is it safe when the user logged in (the password stream of the resource owner), which very well replicated the current functionality of our site in order to directly use this token. The token can be saved in django and simply passed to angular js application, if necessary.

  • Do we need some kind of proxy between django and api? is this going to double the http requests, although it might not be that bad on the local network?

  • could we fully handle it with angular using an implicit grant stream? Since I understand that user tokens expired while the user remained on the angular authentication server, he could asynchronously request another token for requests using

  • When a user comes to our site, the entire OAuth stream should be transparent to them. Has this made customer credentials attractive? Perhaps there is a combination of this thread and some api proxy that might work, although this seems like a security risk, letting the website access everything just with client_id and client_secret?

  • Is that what some of the big guys do? facebook, twitter, etc.

Honestly, none of the above seems to be a great option. It will have a terrible effect on board, I canโ€™t imagine how great the pain is, working with these options in development. I mean, is that even a good idea? Is there something simpler that I just forgot about.

The spec always hints at solutions for cases where you trust the first batch applications, such as mobile clients, but to be honest, I just donโ€™t feel inspired with any material that I thought of, in the case where the first side on is actually a site.

I appreciate anyone who took the time to read this. As I mentioned, I read everything I can find on these topics, and most of them are based on it. Should I use my own api or how can we use one character? What I'm looking for is information on how to really implement these things in a practical sense and, I hope, some pearls of wisdom for any souls who have achieved this in production.

Thanks for taking the time to read this.

+4
source share
1 answer

I've been thinking about this for a while - I'm currently working on creating an angular application that accesses the REST API built into node. According to REST, I do not have to maintain a session and instead have to pass some user and password data along with each request.

Now itโ€™s obvious that many APIs are happy to adhere to some kind of basic authorization or api keys, thereby avoiding oauth2, but I wanted to log in with google / facebook, so it will take a certain amount of tokens. The special stream that I use is

  • The user accesses the angular application. Since they are not logged in, they will be provided with a login page with the ability to log in using google / facebook.

  • Assuming they click on the login button with google - the link sends a request to my node server, starts the Google authorization stream, redirecting the user to the Google login page.

  • They provide access to the application / protocol, which is then redirected back to the node server, which receives the oauth2 token from google. Then, the node servers store this token for a specific user.

  • Finally, the node server redirects back to the angular application along with the token in the header. This token is stored in a browser session and is used when the application executes an api request. If the api request receives a valid token, it responds in kind, otherwise it passes an error, and the angular application notes this and redirects to the login page with some appropriate error notification.

If you open the API to third parties, you probably have to work a little, but thatโ€™s not what Iโ€™ve been thinking too much about right now.

0
source

Source: https://habr.com/ru/post/1500244/

More articles:


All Articles