All geek questions in one place

REST API multi-tenant security

I have a question about RESTful API and security in a multi-tenant environment.

Imagine you have an endpoint: api/branches/:branchId/accounts/:accountId

Authentication is through bearer tokens (oauth2) . Each token includes a set of statements related to the caller. branchId included in the token, and each user belongs to one branch.

Security restrictions are as follows:

  1. The branchId of the GET request must match the identifier stored in the token request.
  2. accountId must be a valid account inside the branch identified by branchId .

The question is which of the following solutions is correct?

  1. Maintain the endpoint: api/branches/:branchId/accounts/:accountId . And do the necessary security checks.
  2. Change the endpoint to: api/accounts/:accountId , get the BranchId value from the token, and then perform the remaining security checks.

The application must be multi-tenant. Each branch is a tenant, and each user can only access information related to its separate branch. Thanks!

+8
source share
1 answer

I needed to make a decision quickly, so I will use solution 1 . If someone has an argument against or in favor, join the conversation.

Arguments in favor of:

  • I completely agree with this answer: fooobar.com/questions/535363 / ... , using the full URL, allows you to more efficiently decide which data storage to connect to and distribute the load accordingly.
  • In addition, you can easily implement caching and logging because the full URL is descriptive enough.
  • Security and API independence. Today I use OAuth2, but maybe tomorrow I can send a request signature, and since the URL contains all the information for the request to complete, it will work.

Arguments against:

  • Information redundancy: branchId is in the url and is encrypted on the token.
  • A little more effort to implement.
+2
source

Source: https://habr.com/ru/post/976441/

More articles:


All Articles