I'm trying to figure out the best way to deploy an API in Amazon API Gateway. I'm getting totally confused about the appropriate authorization to use.
The API will be used by our customers for their own custom developed apps.
We don't need to provide end user authentication. This will be handled on a by our customers, based on the specific requirements for their apps.
What we need to do, is provide a way for our customers apps to authenticate against our API.
My understanding is that I have the following options...
AWS_IAM - This may not be appropriate, adding customer
credentials to our Amazon account.
Cognito User Pool Authorizer -
This seems to mostly be designed for user authorization, rather than
client authorization.
Custom Authorizer - Presumably can be
tailored to our specific requirements, but would need a lot of code
to be built from scratch.
API Key Authentication - Quick and
easy, but doesn't seem particularly secure, to simply rely on a key
header.
I had originally assumed, that there would be some straightforward way to enable OAuth2 Authentication. For our use-case, the "Client Credentials" flow would have been suitable. However from the research I've done, it sounds like OAuth2 Authentication would require a Custom Authorizer Lambda. I'm really not keen on the idea of having to implement a full OAuth2 service, to authenticate the App. It will simply cost too much to build something like this.
Also if we're writing our own full custom OAuth2 Authorizer, and writing all of the functionality for the API itself, I'm not sure how API Gateway is actually providing us any value.
Is there some best practice, or standard for authenticating API clients for API Gateway?
What we need to do doesn't seem like a particularly unusual thing, there must be some standard way people do this.
Any suggestions would be very much appreciated.
Related
Apologies for the oddly worded title, however I could not come up with a better one.
My application should be able to perform a limited set of actions on an Enterprise Google Apps system. Users submit requests to the application, the application interprets these requests and then makes requests to Google resources as necessary.The point is that users, who normally do not have permissions to access/modify the google apps resources, will be able to use this application to do so in the limited ways that it allows.
My problem lies in the apparent fact that the OAuth2.0 authorization flow seems designed to allow third party client applications to authorize themselves as the user and access/modify the user's google resources, rather than a global administrator's. In other words, a normal API key type deal. Unfortunately it seems that Google's AdminSDK will only work with OAuth2 authorization.
Is there a way to use Google's AdminSDK API with OAuth2 (permanent access token, maybe? API key?) to do what I want? Or is there a different API I should be trying? The now-deprecated Provisioning API seemed to be able to do this.
I feel like there should be a way for the application to just pull something out of a secrets.json or secrets.yml, include that in the API authorization request and have Google servers recognize and grant access to the application without the user ever needing to see what's going on.
For the record I'm using Ruby on Rails, though I don't think that affects the question very much.
I'm starting a new system creating using .NET MVC - which is a relatively large scale business management platform. There's some indication that we'll open the platform to public once it is released and pass the market test.
We will be using ExtJs for the front-end which leads us to implement most data mining work return in JSON format - this makes me think whether I should learn the OAuth right now and try to embed the OAuth concept right from the beginning?
Basically the platform we want to create will initially fully implemented internally with a widget system; our boss is thinking to learn from Twitter to build just a core database and spread out all different features into other modules that can be integrated into the platform. To secure that in the beginning I proposed intranet implementation which is safer without much authentication required; however they think it will be once-for-all efforts if we can get a good implementation like OAuth into the platform as we start? (We are team of 6 and none of us know much about OAuth in fact!)
I don't know much about OAuth, so if it's worth to implement at the beginning of our system, I'll have to take a look and have my vote next week for OAuth in our meeting. This may effect how we gonna implement the whole web service thing, so may I ask anyone who's done large-scale web service /application before give some thoughts and advice for me?
Thanks.
OAuth 1 is nice if you want to use HTTP connections. If you can simply enforce HTTPS connections for all users, you might want to use OAuth 2, which is hardly more than a shared token between the client and server that's sent for each single request, plus a pre-defined way to get permission from the user via a web interface.
If you have to accept plain HTTP as well, OAuth 1 is really nice. It protects against replay attacks, packet injection or modification, uses a shared secret instead of shared token, etc. It is, however, a bit harder to implement than OAuth 2.
OAuth 2 is mostly about how to exchange username/password combinations for an access token, while OAuth 1 is mostly about how make semi-secure requests to a server over an unencrypted connection. If you don't need any of that, don't use OAuth. In many cases, Basic HTTP Authentication via HTTPS will do just fine.
OAuth is a standard for authentication and authorization. You can read about it in many places and learn; Generally the standard lets a client register in the authentication server, and then whenever this client attempts to access a protected resource, he is directed to the auth-server to get a token (first he gets a code, then he exchanges it with a token). But this is only generally, there are tons of details and options here...
Basically, one needs a good reason to use oAuth. If a simpler authentication mechanism is good for you - go for it.
I need to develop an API to be the core of a web APP.
My initial idea was making a REST API that would treat all the request and then create some clients for web, mobile and desktop.
My question is, How should I manage the authentication for this situation?
I thought about using a token that would be passed with all requests to the REST API.
Im my case, I would not like to have something like OAuth because the ecosystem will not have multiple apps like Facebook/Twitter does.
NOTE: I must have the API separated from the client for web.
In more details, I would request POST /users/auth passing their password and username, and receive an auth token.
Is it a good approach or there is something better?
Agree that Devise is great for the auth in the application. For the API level, 3scale could help a lot (http://www.3scale.net) - it takes care of rate limits, keys, oauth secret distribution, analytics, developer portal and other stuff. There's a ruby plugin to get started here: https://github.com/3scale/3scale_ws_api_for_ruby.
Devise is a fantastic gem that handles authentication in rails apps. It also provides token based authentication. You can find many resources on the web (for example here) explainig how to use it. No doubt it will fit for your situation.
I would like to offer authenticated API access to my web app. The consumers of such a service are typically other web sites/services.
What would be the best method of authenticating these users? OAuth, openID, http authentication?
As so much in our line of work, the answer to "which is best?" is "it depends." :)
HTTP Authentication - If you're already letting clients log in to your service via an ID and password, you'll probably only have to do minimal work to get this to play nicely with your API. If your API is basically mono-purpose and doesn't require detailed permissions, you can get something working fairly quickly here.
API Token - If you want clients to be able to authenticate easily without providing a password (think companies that build a service that interacts with your API; maybe the IT dept. doesn't want the dev. team knowing the passwords; etc.), then attaching a random API token à la GitHub to the user account is probably the quickest way to go. As a bonus, you can supply a method for regenerating the API token without having to change the account password.
OAuth - If you have multiple permissions or want finer-grained control over how and when a client can access your API, OAuth is a pretty good bet (OAuth2 is much easier to work with, IMO, and supports multiple methods of obtaining an access token). Furthermore, many languages have libraries, gems, etc. that will allow them to simplify the OAuth workflow.
I would say the "best" method is oAuth. It's more flexible and it can be application independant for further uses .
I am using oAuth to authenticate my clients (applications).
;)
Can you use oAuth to only authenticate like you can with Twitter?
If you check Google's docs at http://code.google.com/apis/accounts/docs/OAuth2.html you'll find that the scope (meaning, the service you're supposed to ask permission to) is a required field.
It may be a turn off for many users if you ask them to access their contact list when the most you really do is authenticate, so I rather stick with OpenID which is designed just to retrieve the UID.
So, the answer is really NO, unless you're planning on using an additional API with Google.
OAuth is an authorization protocol and can't be used for authentication only unless the provider defines a dummy scope which, in effect, authorizes you to access "nothing", or "basic user info" (name, e-mail, etc.).
AFAIK, Google provides no such "dummy" scope. However, they do implement OpenID for such authentication purposes, as the protocol is better suited for that task, anyways.
Yes you can there are many options it depens on your platform advice you to check
oauth.net
You can find there options for Java, .NET, Cold Fusion,PHP,etc.
There are many Frameworks that have OAuth capabilities, on Spring you can use this
Sounds like there is some plans afoot on this...
http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html?showComment=1300267218233#c6336940633709651714
some chap:
"Can someone help by pointing to the documentation for the API of "just get basic information for a user"
other chap:
"The problem is, that you get a lot of different login mechanisms because Twitter is using OAuth 1.0 (Or am I wrong?), Facebook is using OAuth 2.0 and Google is using OpenID for login. Please correct me if I´m wrong. So basically I have the same question.
Will Google support login for basic user informations with OAuth 2.0 for Google APIs?"
google dude:
"Today we're supporting OpenID for login, but we've heard your pain about mess of different identity protocols on the web. Stay tuned :)"
Seems to me, as OAuth2 covers authentication and authorization, it would make sense to allow basic info and make it easy on the integrator using one method for all
I'm plumping for this possibility anyway, hopefully by the time I'm ready to put my app live it will be available from Google - Facebook has this anyway and in my case that's a big enough draw