OAuth authentication for an api?
I am planning to work on a REST based API, may be host it in one of the cloud providers like AWS . I understand simply having an API key wouldn't be enough from a security perspective, as the key is passed in the header . I simply want to build a REST endpoint and don't plant to build a web front end for users to create an account, so I won't have username/password or use login credentials to validate. should i add this?
I hear about OAuth standard, or token based, how does this work, if anyone can explain that would be helpful.
I hear about OAuth standard, or token based, how does this work, if anyone can explain that would be helpful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use username/passwords in the http requests which will use windows authentication, but that can then expose the account and could be used to compromise the server directly. Therefore, generally it is best to use an API key which if exposed can only be used with the API and does not expose any accounts on the server.
The question of rotating API keys is difficult (and is kind of the reason behind Oauth, JWT, etc) - customers hate being made to change API keys (probably because they often hard-code them)... however, for security we would like to change them every 30 seconds. It's a balancing act between what your customers will accept and how secure you need your environment. However, also consider adding extra layers on your API security like IP address checking, or systems that can detect multiple failed attempts or known hacking techniques and block their requests. Also keep an eye on your log files so you can see any "odd" requests which might indicate a vulnerability. If you can add these extra layers of security you won't need to rotate your keys as often.
When you develop your API remember people will always try and make it do things your had never expected (even your customers will do this), so be strict when checking API requests and fail requests by default.
The question of rotating API keys is difficult (and is kind of the reason behind Oauth, JWT, etc) - customers hate being made to change API keys (probably because they often hard-code them)... however, for security we would like to change them every 30 seconds. It's a balancing act between what your customers will accept and how secure you need your environment. However, also consider adding extra layers on your API security like IP address checking, or systems that can detect multiple failed attempts or known hacking techniques and block their requests. Also keep an eye on your log files so you can see any "odd" requests which might indicate a vulnerability. If you can add these extra layers of security you won't need to rotate your keys as often.
When you develop your API remember people will always try and make it do things your had never expected (even your customers will do this), so be strict when checking API requests and fail requests by default.
ASKER
you mentioned not using username/password , but my understanding was this was the basic authentication with the HTTP requests.
one more clarification, the data i'm working is not Personal Identifiable Information and probably just having an api key with SSL/TLS would suffice - what's a good approach on rotating such api keys. one obvious one is , coming up with a newer version of the api and attaching a new api key to it, and let clients update it on their end or something similar?
please let me know any good articles/books/courses on the authentication you might have come across , for my better understanding.