Double authentication using OAuth2
126 views
Skip to first unread message
Alex Koloskov
Feb 23, 2012, 3:19:44 PM2/23/12
to API Craft
I'm currently building a RESTful API to our web service, which will be
accessed by 3rd party web and mobile apps. We want to have certain
level of control over API consumers (i.e. those web and mobile apps),
so we can do API requests throttling and/or block certain malicious
clients. For that purpose we want every developer who will be
accessing our API to obtain an API key from us and use it to access
our API endpoints. For some API calls that are not dealing with the
specific user information, that's the only required level of
authentication & authorization, which I call "app"-level A&A. However,
some API calls deal with information belonging to the specific users,
so we need a way to allow those users to login and authorize the app
to access their data, which creates a second level (or "user"-level
A&A).
It makes a lot of sense to use OAuth2 for the "user"-level A&A and I
think I have a pretty good understanding of what I need to do here.
I also implemented OAuth1-like scheme, where app developers receive a
pair of API key & secret, supply their API key with every call and use
secret to sign their requests (again, it's very OAuth1 like and I
should probably just use OAuth1 for that).
Now the problem that I have is how to marry those two different
mechanisms. My current hypothesis is that I continue to use API key/
secret pair to sign all requests to be able to access all API
endpoints and for those calls that require access to user-specific
information apps will need to go through OAuth2 flow and obtain access
tokens and supply them.
So, my question to the community is - does it sounds like a good
solution or there are some better ways to architect this.
I'd also appreciate any links to existing solutions that I could use,
instead of re-inventing the wheel (our services is Ruby/Rails-based).
accessed by 3rd party web and mobile apps. We want to have certain
level of control over API consumers (i.e. those web and mobile apps),
so we can do API requests throttling and/or block certain malicious
clients. For that purpose we want every developer who will be
accessing our API to obtain an API key from us and use it to access
our API endpoints. For some API calls that are not dealing with the
specific user information, that's the only required level of
authentication & authorization, which I call "app"-level A&A. However,
some API calls deal with information belonging to the specific users,
so we need a way to allow those users to login and authorize the app
to access their data, which creates a second level (or "user"-level
A&A).
It makes a lot of sense to use OAuth2 for the "user"-level A&A and I
think I have a pretty good understanding of what I need to do here.
I also implemented OAuth1-like scheme, where app developers receive a
pair of API key & secret, supply their API key with every call and use
secret to sign their requests (again, it's very OAuth1 like and I
should probably just use OAuth1 for that).
Now the problem that I have is how to marry those two different
mechanisms. My current hypothesis is that I continue to use API key/
secret pair to sign all requests to be able to access all API
endpoints and for those calls that require access to user-specific
information apps will need to go through OAuth2 flow and obtain access
tokens and supply them.
So, my question to the community is - does it sounds like a good
solution or there are some better ways to architect this.
I'd also appreciate any links to existing solutions that I could use,
instead of re-inventing the wheel (our services is Ruby/Rails-based).
David Eriksson
Feb 23, 2012, 4:27:21 PM2/23/12
to API Craft
Isn't your scenario pretty close to how Facebook handles
authentication and authorization?
Documentation: https://developers.facebook.com/docs/authentication/
They have both "User Login" and "App Login" (also "Page Login" but I
haven't used that.)
I suggest you create a test app on Facebook to get a feel for how they
do it, and to learn if you should do the same or what you should do
different.
Cheers,
David Eriksson
http://www.divideandconquer.se/
authentication and authorization?
Documentation: https://developers.facebook.com/docs/authentication/
They have both "User Login" and "App Login" (also "Page Login" but I
haven't used that.)
I suggest you create a test app on Facebook to get a feel for how they
do it, and to learn if you should do the same or what you should do
different.
Cheers,
David Eriksson
http://www.divideandconquer.se/
Sam Ramji
Feb 23, 2012, 4:53:40 PM2/23/12
to api-...@googlegroups.com
Your OAuth 2.0 scheme for users makes good sense.
The other scheme sounds like it should be modernized by using OAuth 2.0 in "two-legged" mode, since it reduces to a system-to-system authentication for the app.
Cheers,
Sam
Alex Koloskov
Feb 23, 2012, 5:19:38 PM2/23/12
to API Craft
Sorry, maybe I'm missing something, but I can't figure out how I can
use OAuth 2 simultaneously (i.e. in a single request) for identifying
both app and user. Do you have any examples?
use OAuth 2 simultaneously (i.e. in a single request) for identifying
both app and user. Do you have any examples?
Ed Anuff
Feb 23, 2012, 7:32:43 PM2/23/12
to api-...@googlegroups.com
you're going to have to construct the access_token to encode that information and/or look that up from your DB.
Ed
Ed
Greg Brail
Feb 23, 2012, 11:59:29 PM2/23/12
to api-...@googlegroups.com
As I believe Ed said, when you look up the access token to authenticate the request, you can simultaneously look up which application was used to generate the token, and this in turn tells you which developer (or group of developers) built the app.--
Gregory Brail | Technology | Apigee
Gregory Brail | Technology | Apigee
Andrew Kuklewicz
Feb 24, 2012, 12:21:24 AM2/24/12
to api-...@googlegroups.com
further, if you are on rails and use the oauth_plugin gem (and you should), then it already provides current_user, current_token, and current_client_application methods.
Reply all
Reply to author
Forward
0 new messages