Can someone guide me on the best practice for this situation;
I have a REST service which developers can access with an API KEY. (I have this working in the WCF WEB API), so this part is done.
I would like developers to be able to validate a USER. i.e. use REST to check the username and password entered by a user.
Each of the end point methods only needs API KEY authentication, rather than basic authentication on the method call (if you see what I mean).
How should I best implement this?
Phil.
To securely send password data to a RESTful service you will need to secure communications across http. There are loads of ways to do this, see this post here:
How to secure RESTful web services?
Related
Currently, I'm working on a REST API which will be available for public clients but also I wanted to use it in my mobile application.
For the public clients, I considered to use the Clients Credentials grant, in this case, they would have to registered their app in my Web application which will give them the client key and client secret, then, they could request the access token with them and also I could know the user related to the credentials
But with my mobile application, I'll need to have a sign in section where I would need to use Authorization Code grant in order to secure my data, but I'm not sure if it's necessary.
Based on this, I have a couple of questions:
1. The Authorization Code grant it's the best way to do it?
2. It's a bad practice to have two authorization flows in the same endpoint?
3. Dropbox, Twitter, etc...all of them have REST API, how do they manage authorization in their own apps?
Thanks beforehand and sorry for all questions
I managed to solve this with two alternatives and for the moment, I'm going with the first one.
Create an Authorization server with a parameter that indicates what kind of Authorization Grant it's asking to use and in this way I can decide which kind of flow will follow based on this. I follow the OAuth 2.0 Spec for this using the correct names and parameters to pass in order to have a good way to authenticate our clients and applications.
Create an API gateway where I can send all the authentication requests for my API's using Node.js and in there it will be decided which API it's asking for authentication and with kind of Authorization Grant it's using. You can have more information about this in here:
https://www.nginx.com/blog/building-microservices-using-an-api-gateway/
I'm developing a web API that will be called by other web apps in the same Azure host and also other 3rd party services/ app. I'm currently looking into API Apps and API management, but there are several things unclear for me regarding security implementation:
Does API App need to have authentication when implemented with API management? If yes, what are the options? This link http://www.kefalidis.me/2015/06/taking-advantage-of-api-management-for-api-apps/ mentions "Keep in mind that it’s not necessary to have authentication on the API App, as you can enable authentication on API Management and let it handle all the details." So that means having the API App authentication to public anonymous? But then someone who knows the direct URL of the API App can access it directly.
What is the best way to implement API Management security? The one mentioned in the tutorial (Having a raw subscription key passed in the header) seems to be prone to man in the middle attack
What advantages does API App add instead of implementing with normal Web API project?
Thanks in advance.
I can answer from API Management perspective. To secure the connection between API Mgmt and your backend (sometimes called last-mile security), there are a few options:
Basic Authentication: this is the simplest solution
Mutual certificate authentication: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-mutual-certificates/ - this is the most common approach.
IP Whitelisting: if you have a Standard or Premium tier APIM instance, the IP address of the proxy will remain constant. Thus you can configure firewall rules to block unknown IP addresses.
JWT token: if your backend has the capability to validate JWT tokens, you can block any callers without a valid JWT.
This video might also be helpful: https://channel9.msdn.com/Blogs/AzureApiMgmt/Last-mile-Security
I think the document meant you can do the JWT token validation in APIM. However, to prevent someone calling your backend directly, you'll have to implement one of the options mentioned above in your Api Apps
I have to implement public WCF service which can be consumed by known client. I also want to authenticate client using custom identity (not windows authentication).
I have explored WCF security for authentication with custom Username and Password. Since I have to implement the solution for Hetrogenious network, I cannot use windows authentication.
I have found two ways through which we can incorporate custom authentication in WCF. I have few queries on each of the approaches as below.
1) Through "UserNamePasswordValidator" class. We can create custom username password validator and validate user from the database. This approach is perfectly fine to implement SSO (Single Sign On) as each request has credentials in SOAP header. Client doesn't have to validate himself before each request.
Questions:
Is this approach is easily extensible for Authorization as well? Since authentication happens before service call by getting credentials from the SOAP header. Also credentials are not a part of ObjectContext, I have feeling that authorization approach is not straightforward.
To follow this approach we need to use Brokered Authentication pattern and for this we need third party certificate. Is this advisible to go with this approach as we have to add cost of certificate in a project.
If we use message security to encript the message why we need a certificate? Just for Client identity? Cann't we just use self signed certificate in production since we know who will consume this service?
2) Through "ServiceAuthenticationManager" class. I know only one approach using this class and that is to implement solution using Direct authetication pattern. Also after authenticate user, we need to supply it's identity or token through custom header for all subsequent request coming to service to implement SSO (Single Sign On)
Questions:
Is this a valid approach for public service? Should we enforce user to supply credentials (or token once provided by our service once it is authenticated) via custom header in each request?
This approach doesn't required certification and so we can save its cost to the project. Is this enough reason to pick this approach?
Personally I feel the first approach is easy to implement and it is more standard way to implement authentication in WCF service but the only problem is we need third party certificate.
Please answer my query and if possible suggest the best approach for my requirement.
Thanks,
Ankur
I have been looking on a lot of questions about REST API and security and found some interesting informations but there is still one thing I don't understand.
So, I have a REST API developped with Zend Framework with basic authentication over an https channel (so if I understoud what I have read, the login/password are encrypted when they are sent).
The purpose of this API is to be called by Android/iPhones apps and will only be available to people who have a login and a password
SO, currently, to call the API, the login and password are always sent with the call and so, I check them at every call (the result is it makes a call to the database just for authentication at each call to the API).
Is there some kind of session management (as in web developpement) to avoid that?
Thank,
REST API should be stateless, but you can use request signing using some secret key you obtain after first submission of username + password.
In other words, do not send username and password every time, just use once, to obtain secret key.
You may take a look at several APIs that sign the requests, eg. some implementing OAuth.
I'm building my first REST API from scratch and am trying to understand the best way to handle API tokens. I'm not talking about "user authentication" (I would be using OAuth for that). I'm talking about public/private tokens that an application uses to identify itself so that my API can decide whether or not the application is allowed to use the API in the first place.
Some API resources will be available to anyone with valid token(s), and some will require OAuth authentication. I will be communicating with the API over HTTPS, but I still want to make sure I am following some sort of standard for passing tokens back and forth.
You actually are talking about user authentication, believe it or not.
I'm talking about public/private tokens that an application uses to
identify itself so that my API can decide whether or not the
application is allowed to use the API in the first place.
That's user authentication - it's just that the "user" is the application calling your APIs.
If OAuth isn't enough to do everything you need (and it might, you should check!), you shouldn't start adding yet another custom authentication method to HTTPS. Instead, stand on the shoulders of giants and use Basic Authentication, because that's what it's for. Your tools, sysadmins and API clients will thank you for it.