Not sure if the title of the question expresses good my problem, so I'm going to do my best to explain it here:
I'm writing a RESTful api using php and Restler. Now here comes the problem:
There are some services that I'd like to protect, that is, know if the user requesting that service has enough privileges.
All the services that I'm implementing have to be consumed using javascript, so the traditional method user/password won't work beacause everyone will see that!
I'd also like to limit the amount of requests an anonymous user can do, like twitter does with the search service.
What can I do to expose my api to everyone, but only let users with priveleges complete their requests?
I stumble with this post: REST authentication and exposing the API key but at the end, no solution was provided.
I'm very open to any alternative: like OAuth. I would like to use something that integrates well with restler though, but if that is not the possible, then its ok.
I've seen a lot of info, saying that an api key would do the work, but since I'm using javascript, how can I protect those keys from being used by other users?
Update: Restler 3 is released with hybrid access support using #access hybrid comment and is available here!
Just in time with the right question :)
Your question has two parts
1. How do I do hybrid access (both public and protected access) with Restler
Restler 2 does not support hybrid access, but Restler 3, which will be released in August 2012 (this week) will support hybrid access, exactly built for your use case
You can follow the development at twitter and/or facebook
2. How can I protect my API when the primary consumer is JavaScript
For simplicity you may use HTTPS with Basic Authentication or HTTP with Digest Authentication
Another alternative is described in this article. It is not written specifically for Restler but it is easy to adapt to Restler. Let us know if you need help on that
Related
I want to create a custom API that behind the scenes, call number of other APIs which use OAuth 2.0 for authentication. I want to manage this internally so that my custom endpoint somewhat abstract this.
Or to begin with I want to do what app like buffer (https://buffer.com) do - where you connect to different social services and than post your status.
How can I achieve this in .NetCore ?? I don't want to login with these (a lot of samples are catering this scenario), user login is different than this. I just want to establish these connections (like API Connections if you look at Azure API Management) and then perform some operations against those endpoints.
I hope i convey my point. please let me know if this isn't clear.
Thanks
Sanjay
OAuth2 systems are all based on the same workflow.
here's an authorization url, you pass some ids in an authorization header, if everything is correct you get a token, you then use the token to do whatever you are allowed to do. What changes are the credentials you use for authentication and the urls you hit for the various parts of this workflow.
You could write your own OAuth2 library which deals with all this, that's pretty much what I did and simply changed the details for every specific system I had to interact with.
This being said you can always use one of the existing implementations to connect to the various systems you care about, they all have an API you could use, all you have to do is make sure you follow the OAuth2 flow correctly.
I have a JSON REST API written in Symfony 2.7, and I want to authenticate & authorize users. This is my first time doing this, so I have some doubts/questions.
For that, I thought several methods:
User & password, and then save a session in the back end
Same as 1), but add an "apiToken" (randomly generate when user register) and then sending back & forth the apiToken in every single request to check user identity.
Use OAuth (which I'm currently reading about it).
I read that using OAuth for a simple API is like an "overkill", but on the safe side it sticks to standards and also allows me to use it when using my API with mobile devices and different platforms.
Also, I don't know too much about security flaws of using method 1) or 2).
I know this is maybe based on opinions, but I don't know any other site to post this question, as Symfony official mailing was shut down and migrate here it seems.
As you seems to know, your question is too opinion based.
If I can give you some advices (too long for a 600chars comment),
OAuth is powerful, but so much free.
I mean that you can easily implement it sort as everything works well while having a set of potential security issues without being aware of their existence.
Libraries and bundles providing OAuth are hard to maintain because of the new security issues regularly found.
On the other hand, if you need the benefits of OAuth (be a client and/or a server, compatible with the most part of social networks), go learn OAuth and do your experience with it.
Otherwise, use a simple credentials/request token two-step authentication.
See the JWT Authentication tutorial by KnpLabs,
Symfony Guard Authentication by Ryan Weaver,
and the great LexikJWTAuthenticationBundle, easy to implement and to use.
I'm trying to figure out how Likeboost or LikeHero work, 'cause I believe Instagram doesn't allow you to use Like endpoint to add a like to an image and they require you to submit the app for review as they stated here:
To request access to this endpoint, please complete this form.
But these apps just ask for your username and password (Surprisingly you don't get transferred to Safari for authentication process) and then you could like an image from that particular app. How do they do that? Isn't this against the following paragraph?
The ability to POST and DELETE likes, follows and comments is restricted to applications that offer business services and not consumer facing apps.
That applications that you are mentioning are using a fake native login page in order to avoid you leave from the application (like #Matthew Antolovich said). Once they get the access_token, there are no more dificulties and they can use the API calls.
As you can see in the Authentication documentation they might be using the Client-Side (Implicit) that is less secure but it works for they purposes.
They are giving permissions only to trusty applications in order to avoid that fake applications (bot apps, fake users, ...) use some API functionalities.
If you want to use these calls, you should fulfill the form that they are giving to you once your application is finished. If you are still developing the application you have to trust the Like documentation without the capability of test if it works.
There are other ways to restrict apps to use some calls (limit of requests per day, ...) but this is how they are doing it so, we must adapt.
Like #Matthew Antolovich said in his comment, if those apps are asking you for your user and password, they can log-in using the same requests present on the web. They could (and probably are) make their own API by reverse engineering the http requests.
On a side note, I would personally never trust those kind of apps.
A few days back I started learning ColdFusion 10 REST APIs. It was very intresting and easy to implement. But now I just want to implement authentication and authorization on my sample APIs. I have searched a lot but not found much useful info on Google.
It may sound like a very basic question, but as I am completly new to REST: Could any one please suggest how to implement authentication on my ColdFusion 10 REST APIs?
My initial thought is to have method named authenticate() on my REST enabled cfc, which I will call from all other methods or resources to authenticate the users. I am planning to authenticate the users by their username/password. Is this the correct way to implement?
The way I've seen it in most languages would be to have a base class that takes care of the auth check, usually the presence of a token in the url that matches something against the user in the db for active session. Then for all of your rest classes, just extend that base class, which is easily done with CFCs in ColdFusion.
Good luck on your implementation!
We have a large high traffic site with a lot of data on it (similar to Kickstarter), and we want to provide to our content/project creators a means of pulling their data from our site via an API.
Someone suggested I use OAuth, however my experience with OAuth is limited to setting up a twitter datasource.
What I want to do
Provide a user an Application ID and a 'secret'
Allow this user to connect to our application via an api endpoint, authorizing themselves using the api ID and secret
Once verified, allow this user to pull only their data from the application
The data that a user can pull: votes they have cast, pledges they have made, purchases they have made, projects/ideas they have launched, data about those projects/ideas (votes/purchases/orders/cancellations etc)
My question is:
Is OAuth overkill?
Is there a better way to handle a user/users website to connect to our API and pull/verify certain data by using the API we make available, while requiring each incoming request to be authorized for the user/site initiating that request.
Ideally, we will have an endpoint that is accessed as:
https://api.oursite.com/request/params
We want this to be as simple as possible for our users that wish to implement this interface. Thanks for your help!
Generally it's OAuth, in combination with SSL. That's the standard and is likely to stay. Before we saw also logins: username + password to access an API but that's becoming less and less.
So the suggested way is OAuth. There are no serious other solutions yet. To make it easier to adopt your API you could release some classes in some development languages so developers can have a quick start. You could start releasing those classes at for example GitHub to raise adoption of your API and get a quick access to developers. They might, if you do well, even start improving it.