Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Authentication for a request from a client (a browser)?  RSS feed

 
Jonathan Sachs
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to design an API with reasonably secure authentication that can be used from either a server (i.e., an application server talking to an API server) or a client (e.g., AJAX supporting an application that runs on the application server, but also communicating directly with the API on the API server).

Authentication for a request from an application server is pretty easy. The API server and the application server both have a secret (a private key). When the application server makes an API request, it signs the request by adding a hash code computed from the unsigned request and the secret. The API server recomputes the hash code and honors the request if it gets the same result.

If I simply extend this design to a client, it collapses. The client has to have access to the secret... and then it's no longer secret.

I've thought up a couple of ways around this problem, but they add complexity and latency, and/or leave holes in the authentication procedure.

Is there a way of dealing with this problem that's reasonably simple, practical, and secure?

BTW, "reasonably secure" means "good enough to protect services of modest value." I'm not handling financial transactions or military secrets. I just need enough security to protect the API from a competent hacker who isn't going to invest a lot of effort to crack it.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66204
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have you considered HTTP authentication?
 
Jonathan Sachs
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Have you considered HTTP authentication?


Bear: I'm a newbie in computer security, so perhaps I don't understand what you mean. But after a brief look-up of HTTP authentication, it appears to me that you've misunderstood my question.

I asked about best practices for performing authentication between between the web client and the API server in a three-agent system consisting of application server, web client, and API server. This is basically a question about what authorization protocol to use. The means of transporting the credentials is a necessary but minor aspect of that. You gave me an answer that addresses only the means of transport.

It's as if I pulled into a gas station fifty miles of twisty roads from anywhere and asked the attendant how to get back to the interstate, and he replied, "The best way is to drive."

Maybe you have some other particular variety of HTTP authentication in mind and you neglected to explain it. I'll look forward to your clarification.

It may help if I add a bit more detail about the system's requirements. The primary requirement is to control access by application servers. Only specific, authorized application servers are allowed to use the API at all. A secondary (simpler) requirement is to control access by clients: any client may use the API provided it's communicating with an authorized server, but certain operations are authorized only for clients who are registered with and logged in to the application server. And (it may be unnecessary to point this out) each API request must identify the client making the request and the application server it is using.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66204
151
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jonathan Sachs wrote:You gave me an answer that addresses only the means of transport.

Nope; I said HTTP Authentication, not just HTTP. If you want to use conventional username/password authentication, this might satisfy your needs.

If you need something other than that; not so much.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!