8

I am developing a REST API that I plan on using with a web and IOS app. I intend for this API to be private for sometime (private meaning I only want my web app and ios app to access the api).

I have read about many different authentication methods but I am still to confused to select the appropriate authentication method for my API.

From what I understand, oAuth2 is for allowing users to login to your APP using other service providers so that you can access the data on the respective service provider. I am accessing the data in my own API so I believe this does not apply to me?

So, here is what I am thinking:

  • 1) Use HTTP Basic Authentication to send the user/pass to the server.

  • 2) Once the server validates the login, return an access token that will expire in x hours. This will allow me to simply store the token rather than the user/pass credentials.

I have Google'd this technique and haven't really found any info on this method which leads me to believe this is not a good way as I may potentially be trying to reinvent something?

What should I be doing? Is what I am looking for two-legged oAuth?

Improve this question

2 Answers 2

Reset to default
2

OAuth 2.0 has become the protocol of choice to secure web API's. It requires a user to authorize an application to access your web API.

You want your application to be the only one that can access certain API's. OAuth 2.0 allows doing just that.

In your authorization server, implement the Authorization Code Grant with client credentials required (not optional). Make it so that only your app (or a configured list op first party apps) can acquire the scope required to make those API calls. As long as you keep your client secret a secret indeed, your app will be the only one able to get an access token with the required scope. In the web API, ensure the scope is granted to the access token used to call the API.

Good authorization servers, such as The Identity Hub, will allow you to do just that.

Do not use the Resource Owner Password Credentials Grant. As the specification says:

The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

This is repeated later on:

The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

If the password credentials grant is available, any application can acquire a token by asking the user for a user id and password. This is exactly what you do not want.

The specification is very clear about the problems inherent to using passwords:

In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This creates several problems and limitations

OAuth 2.0 was designed specifically to overcome some of the issues with using passwords:

OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.

Furthermore, if your API wants to know the user (in addition to knowing the client app), it is impossible to abuse the Resource Owner Password Credentials Grant to authenticate the client (i.e. app) instead of the resource owner (i.e. user), as suggested by Florent Morselli.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Kris Vandermotten, this leaves me even more confused. Authorization Grant I thought was for when you wanted to login to an APP with another provider. Like, if I wanted users to login to my app via Facebook or Twitter. My IOS app is the official app of my website. It's like when you go to the Facebook app and login into Facebook with your username/password. I am logging into my own API. There is a high degree of trust as it is my official app. Therefore, if I am posting the username/password from IOS to my API, I also need to send client credentials, but I cannot store these safely in IOS.
@AlexLacayo I don't know if you can store them safely in IOS or not. But I do know that with a Resource Owner Password Credentials Grant, your authorization server, and therefor your API, has no way to tell if it was your app that made the call, or some other app. That violates your primary requirement, the reason why you asked this question in the first place: your API wouldn't be private at all.
Correct me if I am wrong, but with Resource Owner Password Credentials Grant you pass the users credentials along with the client credentials to the API to get a token. So, technically it would know where the request came from (tools.ietf.org/html/rfc6749#section-4.3.2). However, I know I cannot safely store the client credentials in IOS. Let say my company/website is called "X". So, when the user downloads my app, it would say "Login with X" instead of just simply having a login form with username/password (like twitter, fb, IG, etc. do for their official app). Isn't this a bit silly?
That's my point: the spec allows for optional client authentication with the password grant, but you cannot use that from a device app. But why your app should say "Login with X" as opposed to just "Login", I fail to see. You choose what you write on that button, no? Likewise, you determine the look of the web page that is presented to the user, so that it blends in with your app. In fact, the code grant is just a safer way to take a user's credentials and turn them into a token. Why would that be silly?
Are you saying to embed the login as website into my app? I guess what I am imagining is when the user opens the app the user will be asked to click "login to x" (or whatever I decide) and then they will be redirected somewhere as opposed to simply displaying a form on the immediate load screen in the app (just like IG, FB). When i download a random app and chose to "Login with Facebook" I am redirected to FB for approval. So, in my personal app this is my confusion? Does that make sense or no?
|
1

In fact, OAuth2 is not dedicated to authenticate your users, but to authorize a client (a website or an app) to access on resources (user informations, pages, files...).

As your website and app are private (so that you have a high degree of trust in them), I suggest you to use the Resource Owner Password Credentials grant type. The username/password are only needed to get an access token (and a refresh token if needed). Your clients do not have to store these credentials as you mentionned.

Just a precision: OAuth2 may be used the HTTP Basic Authentication to authenticate the client, not the resource owners/users.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.