Welcome Guest, Not a member yet? Register   Sign In
Help with API security and ideology
#1

[eluser]greg.thompson[/eluser]
Hi guys, let me first just give you an Idea of what I'm doing. I'm looking to create a application that users can log into and create events etc. But the most important part of it is an API that will allow these same users to submit information/registrations/payments to my application hosted elsewhere. The things I want to do are pretty darn basic but I'm having a damn hard time wrapping my head around the API and security.

I'm using Phil Sturgeon RestServer implementation and that part is working without any type of authentication but again where I struggle is how to really tighten up security. I really like the Oauth structure of private/public keys but I honestly can't wrap my head around it... maybe a lack of understanding. I'd want the user to create their application connection within the app itself and get all they're keys etc. from the app then use this information on their page, where they'll be accessing the API data.

so...
application site (www.application.com). User signs up, logs in, creates event and creates an API connection.
users site (www.myevent.com). User writes specific code to connect to said API and get event information or submit payment info for a user.

How in the API connection creation can I generate the user new keys and then how can I set it up so the user can use these keys to access my API securely. My primary concern in all of this is security.

I've looked into the Oauth library but it seems that it focuses on local usage and account creation etc.

Also, I've seen some libraries that just give one key and that's basically your connection. I assume this would be used in a curl call to interact with the API but this doesn't seem to secure.

I'm so damn lost. can anyone help?
#2

[eluser]yacman[/eluser]
Greg,
I would take a look at other APIs out there that have been created by companies like Google and Microsoft, and see how their authentication patterns work. This can serve as a template.

About 5 years ago everyone was about using sets of keys to enable a permanent API connection between server and client. Today, most API services use Sessions to generate new keys whenever a client wishes to use the API. These keys are associated with a user one time, then expire after a set period so it can be re-used.

You'd want to have a Token which represents your client, and then a session token which is validated on every call.

You can easily overload the RestController methods to implement session based connections. (Look at where it validates the Key).

The next thing you want is to hook up generating an API key whenever a user is created. This is their Client Key.

When a client wishes to connect via the API, their application must:
Call and fetch a session ID using their Client Key and a Client password.
This is authenticated, and a Session ID is generated and returned to the client.

Session IDs and client IDs should be passed via http headers.

On successive calls, the Client includes both their client Key and Session Key. These values must be checked on every request to the API to associate who, and if they currently have access.

Also take a look at the RestController's security implementation on Key Levels. These can help you protect specific methods.

Look at what's out there though, security patterns are changing all the time.
#3

[eluser]solid9[/eluser]
I'm haven't Mastered Oauth but I have a strong feeling it's the best choice.
Anyway correct me If my feeling is wrong. ^__^




Theme © iAndrew 2016 - Forum software by © MyBB