Quantcast
Channel: Question and Answer » authorization
Viewing all articles
Browse latest Browse all 41

Decide to REST API Security

$
0
0

I’ve developed an API. I got confused and I’ve been reading articles for days.
Actually my question is close to these but not exact (maybe a combination of them);
Securing REST API that will accessed from different clients
Secure no-login REST API for very few clients

I need to provide safety to my API. The API will used by client 3rd party applications. I’ve attached a schema the below.

What should I do?

HTTP-Basic with SSLTLS, HTTP-Digest with SSLTLS, OAuth 2.0 or what else should be?

schema

Edit (2015-03-25):
This part was given up. Look at “Edit (2015-04-01)” on the below

I’ve decided to implement SSL + OAuth 2.0 (Resource Owner Password Credentials Grant).
If you think it’s not convenient for the scenario, please inform me.

 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      v
      |    Resource Owner
     (A) Password Credentials
      |
      v
 +---------+                                  +---------------+
 |         |>--(B)---- Resource Owner ------->|               |
 |         |         Password Credentials     | Authorization |
 | Client  |                                  |     Server    |
 |         |<--(C)---- Access Token ---------<|               |
 |         |    (w/ Optional Refresh Token)   |               |
 +---------+                                  +---------------+

        Figure 5: Resource Owner Password Credentials Flow

The flow illustrated in Figure 5 includes the following steps:

(A) The resource owner provides the client with its username and
password.

(B) The client requests an access token from the authorization
server’s token endpoint by including the credentials received
from the resource owner. When making the request, the client
authenticates with the authorization server.

(C) The authorization server authenticates the client and validates
the resource owner credentials, and if valid, issues an access
token.

Edit (2015-04-01):

I’ve implemented OAuth 2.0 Client Credentials. And now I’m looking for how can I implement an SSL certificate for clients API request.

The client credentials grant type MUST only be used by confidential
clients.

 +---------+                                  +---------------+
 |         |                                  |               |
 |         |>--(A)- Client Authentication --->| Authorization |
 | Client  |                                  |     Server    |
 |         |<--(B)---- Access Token ---------<|               |
 |         |                                  |               |
 +---------+                                  +---------------+

                 Figure 6: Client Credentials Flow

The flow illustrated in Figure 6 includes the following steps:

(A) The client authenticates with the authorization server and
requests an access token from the token endpoint.

(B) The authorization server authenticates the client, and if valid,
issues an access token.


Viewing all articles
Browse latest Browse all 41

Trending Articles