I would like to ask you for advice. A service booking platform allows you to implement the booking service within the website of the service owner. The service provider activates the functionality on the platform and receives an access key. On its website, it implements a form to receive the reservation data and calls the API to make the reservation. Among the API parameters is the access key. I can't imagine and don't know another way to authenticate the API call (in HTTPS of course). The problem I see is where to store the secret key as the API would be called client side. Is this practice good?
Thank you!
Related
I'm new to web services and am creating HTTP services using .NET Web API 2.
The consumers of the services will be other applications, but in the future I foresee web applications (browsers, mobile apps) using them. The services simply serve data to the consumers (no create/update/delete).
All applications, including the API, are located on our enterprise intranet. Nothing outward facing.
I was told to use Integrated Windows Authentication for the services. Can an API key also be used on the same services to authenticate the application that is making the calls?
I'm not even sure doing this makes sense. Can the consuming application (i.e executable run on a server) send account info? My thought is that Windows Authentication isn't necessary and token authentication will suffice. Others have told me to use both. I'm not sure that's possible and haven't found anything showing me it is.
An API key is a parameter passed to the service interface, so it can be passed with any type of auth on the backend.
But usually, and api key is used to determine whether a user is allowed to use a specific API. For example, if only a subset of users that have windows accounts are allowed to use the api, then maybe that might make sense, because, even if they could authenticate with their windows account, they could still be determined to be unauthorized by the fact that they did not pass a valid auth key.
That said, you could also do the same things with some kind of policy, for example, checking if the user has the correct role to call the api method. It makes more sense when you are giving people access to an api through the internet.
To ensure a REST API is accessed only by known consumers, client applications use to sign each HTTP request with a secret and then send the resulting signature togheter with the API key to the server.
In case of JavaScript clients the API key and secret are hardcoded in the script itself... so how does this mechanism ensure a client sending the request is really the client it is supposed to be? I'm asking because if the secret is hardcoded in the JavaScript, everybody could look at it, steal the secret, and use it in other applications.
Is there a safer way to expose an API to consumers? I know there are other posts in Stackoverflow covering this topic... but what is not clear to me is how to deal with both consumer authorization and user authorization. In my case, consumer authorization determintes whether or not a third party is allowd to access my API and has nothing to do with business logic, while user authorization is at application level (i.e. after the consumer has been identified and authorized).
You can check the domain and provide a SOP setting to restrict to only known domains.
You can drop requests by origin ip if the ips are going to be constant.
Moreover you can have a secret generator on your server which client need to call from there on servers and pass it on their js code, from there it can be attached to api call. This way client with SOP can make sure that their js is not injected. You can check on the clients IP before providing the response.
Basically, it would depend on the type of consumers you going to serve. Are they enterprise customers, etc.
After some googling I found this great article and just implemented the solution it describes ;-)
I'm creating a mobile app for customers that need to access an api that I use.
The api requires authentication and the app needs to call the api to receive some data that is specific to each individual customer(mobile app).
I just want to make sure that the right way to do this is for the mobile app to send the query to my server which will then make the authenticated api call and return the response to the mobile client?
or is it possible to have the mobile make the api calls directly, presumably using the same authorisation key?
This is primarily an opinion-based question, however I'll give it a go:
[paraphrased] Can my server act as an API proxy to make authenticated calls to another API on behalf of my unauthenticated users?
This is a common occurrence in the API world, but some things you need to consider:
It's an extra layer in between the user and the service, which adds time to the data transport. Make sure you build your proxy to be scalable or use a 3rd party service that can manage that on your behalf. Either way, don't forget to factor in cost.
Usually service providers require authentication for a reason. Are you violating any license agreements by opening up their API like this?
Is the authentication per-application, or per-user? If it's per-user (e.g. each user logs in and retrieves a unique access_token) then you're going to be making calls to the back-end API as a user instead of an application.
Is the destination API rate-limited? Instagram's API, for example, only allows 5000 requests per hour. If you have 10,000 users that use it once per hour, you'll have already hit that limit.
Are there security concerns opening up the destination API like this? Is there sensitive information that you need to protect? If so, opening it up like you do are you creating security holes?
Is it possible to have the mobile make API calls directly to the target API, presumably using the same authorization key?
Absolutely this is possible - provided that you follow the authentication flow established by the target API. You'll want to consider the same list of concerns listed above though, in addition to:
If you're using an auth flow like OAuth2, the standard dictates that each user should authenticate as themselves and make API calls using a unique access_token. Does your target API provider offer this service? If so, that's the way to go, that way if an access_token is compromised, only that user's data/account/etc. is at risk.
If you're using app-level authentication (e.g. your app's client_id and client_secret) directly in your mobile app, be warned that it can be obtained and compromised with little effort, and thus an attacker could gain access to the entire target API this way.
I am writing an API to use with my mobile app. I want to use Api Key authentication.
In this kind of system, should I give an api key to each user? Or should I only give Api Key per application that connects to the API?
The reason that I asked that is:
If I give every user api key and authenticate them by their api key, authenticated user will be only one, and I can make requests like /reviews/ and server will return all reviews which are done by authenticated user.
On the other hand, the app will authenticate to use the api, and I should make request like "/reviews?userId=23842374283423".
Which one is the most used type of authentication?
Normally the API keys are issued to the developer who consumes the API rather than the application. Although in most cases each key is used only for one application, in theory you could have another one using the same key. I would recommend going for the second approach.
Can someone guide me on the best practice for this situation;
I have a REST service which developers can access with an API KEY. (I have this working in the WCF WEB API), so this part is done.
I would like developers to be able to validate a USER. i.e. use REST to check the username and password entered by a user.
Each of the end point methods only needs API KEY authentication, rather than basic authentication on the method call (if you see what I mean).
How should I best implement this?
Phil.
To securely send password data to a RESTful service you will need to secure communications across http. There are loads of ways to do this, see this post here:
How to secure RESTful web services?