Nov 7th, 2012, 08:44 AM
Secure REST API with OAuth 2.0
Hello every body,
I try to secure some REST APIs (definitely stateless) on my server and let other trusted webapplications to use them.
As I said webapplication are trusted, it means I need to omit authentication steps from oauth sequence diagram.
Is that possible to benefit from Oauth 2.0 at all?
All that I want is to care about generating and handling access token.
Nov 7th, 2012, 09:03 AM
The benefit of OAuth2 really comes when your REST clients act on behalf of a user. If there is no user in the process it might not be worth it. If you have a user then you can benefit from OAuth2, but I'm not sure I understand the question beyond that.
Last edited by Dave Syer; Nov 8th, 2012 at 07:12 AM.
Nov 8th, 2012, 03:36 AM
Yes, you are right. However, I find OAuth 2.0 the most suitable protocol for creating and managing tokens. All what I need to be sure about is, wether it is possible to setup oauth for anonymous user.
Nov 8th, 2012, 07:12 AM
If you have machine-machine interactions there is no user, so there is no need for anonymous access.
Nov 8th, 2012, 06:04 PM
I'm not sure what you mean by a trusted application and not requiring authentication. Is this a strictly internal arrangement?
Our application has no end user data, just our data, and some tenant specific data. Rather than an end user authorizing an application to access personal data/functionality on their behalf, we have a tenant authorizing a user agent (browser, mobile) to access our APIs on the tenant's behalf. This authorization allows us to track the usage for a given tenant, as well as return results based on our content and the tenant's content, and not some other tenant's content.
There are additional measures in place to limit what can be done with a given bearer token (in terms of amount of API usage), anti-hijacking, and blacklisting client addresses that appear to be abusive or bots of some kind scraping content.
Making use of OAuth 2 for this is nice because it is a well understood standard, and we have nice implementations such as Spring Security OAuth available. A big issue for us is the ability for the user agent to directly invoke our APIs (JSONP today, and one day CORS). This needs to be done without the tenant exposing any credentials within the user agent. So, the bearer token, with limits applied, works well for this.
Our tenant applications also invoke some of our APIs for updating and otherwise managing their own content within our application. Since this does not involve some third party user agent, we could have used HTTP Basic authentication over HTTPS for this, but instead, these APIs are also accessed via OAuth 2. Using a different set of credentials, the tenant application will acquire a token which is then used to invoke tenant related, rather than user related, APIS.
This second scenario is for us the machine-to-machine (server-to-server) situation which could call into question the need for OAuth (vs HTTP basic authentication), but the user agent interaction (browsers and mobile apps run on machines don't they? ) is where OAuth 2 really shines for us; a standard vs. some custom token based system of our creation, no exposure of tenant credentials, code I don't have to write/debug/test, and very nice support on this forum.
Anyway, if you do not have third party involvement, and your applications are 'trusted', what are your motivations for requiring tokens?