Multiple Authentication Levels in the RESTful API

Question

Multiple Authentication Levels in the RESTful API

Scenario

We are creating a new RESTful API for our web application. This API will serve our mobile applications, our web application and authorized customers.

We use Apigility to create the API and use the OAuth2 implementation it implements.

Currently, our web application relies on a table userswith permissions assigned to each user. These users simply log in using the web form, and the session is then saved and the corresponding permissions are checked upon access.

We want to be able to authenticate access to the API (for example, our web application and authorized clients), so there can be no unauthorized access to the API. However, we also want to allow permissions at the user level, so some kind of user authentication should also happen.

Any authorized access to the API can use a different user, so relying on one user per client will not work, especially since permissions are granted for each user. We also do not want any user to be able to use the API without prior authentication, so you did not need to add each user as a client in OAuth2.

For example:

The web application is authenticated using an API with two users using it:

UserA

UserB

, UserA POST /users 200 OK, UserB 403 Forbidden.

OAuth2 , . .

HTTP- , /user/login. , .

(, -, ), , ?

+4

authentication rest api authorization oauth-2.0

Lewis Chadwick 08 . '16 15:45

2

phalt · Answer 1 · 2016-02-08T15:58:34+0000

:

. , . , , / , . , .

, /. , , . , , " " API ( ).

, ( , OAuth).

jwilleke · Answer 2 · 2016-02-09T22:57:39+0000

OAuth Identity.

OpenID Connect, Oauth 2.0.

Multiple Authentication Levels in the RESTful API

Scenario

For example:

More articles: