0

I am in the process of creating an internal application, and I am currently laying it out. Right now, these are the constraints:

  • Program is currently limited to one department, do not foresee it going out of this.
  • No on-premise limitations, everything in the cloud.
  • An API is required for the client to work, which has Basic or OAuth Authentication.
  • Program is not resource intensive in any way, maybe a few API requests per week. < 20.
  • The API key would be able to read some accounting tickets that contain receipts, and create/modify the tickets.

I could definitely just use Basic Authentication and hardcode everything in the client code, but this is not the appropriate approach in my eyes (or in anyone’s here probably).

I am thinking about having the client/user code which is distributed to each end user, to be a lightweight and easy-to-install application. This will communicate with the server, that will directly contact the API that is needed for the client to work. This will allow me to not have to hardcode anything in the client as far as API credentials/tokens. I can then set the environment up on the server one time and be done. I could then setup the API key that is needed for the client to work to be stored in an Azure Key Vault. This is the best design I believe.

Could I just store the API credentials in the client code and deobfuscate them when needed? Generally, I would say this is frowned upon, but you just have to pick your poison as there is always a way to get your credentials. Unfortunately, I cannot just whitelist the API key by IP Address, I can allow it to do certain things via permissions. The problem also is, I will need to ship out new code if a new API key is generated.

The last way I am thinking is setup an IP whitelist on an Azure server, then only give that API key out once the IP is approved. Coupling this with a permissions restriction on the API key seems okay. This is an in-between for security and scalability.

What would be the best approach from the ones given? If any additional information is needed, I will provide it.

Improve this question
7
  • Implement OAuth authentication Commented Aug 6, 2024 at 23:16
  • Sure, but should I do the OAuth flow on the server then have the client contact my server, or should I let the client directly access the API and do the OAuth flow on the client app. Commented Aug 7, 2024 at 1:03
  • Is there really any need for an installable client application? Client-side Installation and managing code on client devices opens up a plethora of problems - I would strongly reconsider this and lean toward a browser-based web app, which should greatly simplify everything you're trying to do here with a lot of standard browser-native features, like the ability of a browser to remember user logins. Most popular OAuth providers also include their own login UI flows which work seamlessly within a browser without you needing to do any extra work. Commented Aug 7, 2024 at 7:28
  • Is the "client" going to be a human being, or another application? Basically, will a human be running this client-side application? Commented Aug 7, 2024 at 15:33
  • @Noah read up on the various oauth flows, the client should prompt the user for username and password, that should goto the oauth server to generate a token the token should be used to connect to the api Commented Aug 7, 2024 at 17:48

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.