I am building restful API and want to protect my Api's. i am thinking to implement Oauth but as per my knowledge Oauth is suitable only when we are exposing our API to third party application. i am not exposing my Api to third party application.
I want to know implementing Oauth is suitable for this or not??
Thanks,
Sanjay Salunkhe
Related
I have API which is hosted in Azure. It is using Microsoft Identity platform for Authorization. Now we need to integrate APIM Gateway for the API. APIM also provides OAuth Authorization. So my question is should I configure OAuth for my API in APIM since Api would be deployed in APIM or I can continue to use Microsoft Identity platform which is doing its job. So I am looking for benefits for using OAuth from APIM rather than throw Microsoft Identity. In other words what would be difference and pros using OAuth vs Microsoft identity which also relies on OAuth?
Each API should validate a JWT access token on every request, then use the token's scopes and claims to authorize access to resources. This is sometimes called a zero trust architecture.
Another important requirement is to avoid revealing sensitive data in tokens, such as emails, to internet clients. The phantom token pattern has more info on this, and involves the use of an API gateway.
I would favour a solution where there is an API gateway in front of your APIs. This is a hosting best practice and also enables you to perform tasks such as cookie and token translation in the gateway.
APIM is one solution so I would favour that type of option if it improves your API security. There are other Azure options though, so it can be worth clarifying the types of things you want to do in gateways before choosing one. The API Gateway Guides may give you some ideas.
I read this article.
Gmail can't be use in third-party component without using OAuth 2.0?
Should a personal account also use the OAuth 2.0 when using a third-party library?
If you are using Gmail or any other Google API you should be using OAuth 2 flow to ensure a more security scenario.
For your actual questions, yes you need to use OAuth flow to authenticate to any Google API as required, the link you posted about Less Secure Apps already says that they will be deprecated anytime soon and are pretty much discouraged.
I am building an OAuth2 API for my program. But I don't know how the flow works for using the same API on the main website for the app? Would I just use the normal authentication route? I think it would seem odd to see that the trusted name app is wanting access to information, when its not a third party.
I am developing web application which consists of a Silverlight application and a REST API. An optional use case is that the customer may also want to integrate with Salesforce. By "integrate" I mean utilize SSO with Salesforce when logging into my application as well as access data via Salesforce's REST API. The current hurdle I can't seem to get over is that SSO uses WS-Federation while Salesforce's REST API uses OAuth 2.0. What is the best way to being these two authentication mechanisms together?
My knee-jerk reaction was for my Federation Provider STS to acquire an OAuth access token from Salesforce and add it as a claim to the security token received from Salesforce's Identity Provider STS, but I think this might require me to write a custom STS. I'd rather not do that. Is there a better way?
This question is old but comes up often, so ...
There is now information on how to do this here
Configuring-SSO-to-SharePoint
This approach uses WS-Fed.
As now we have OAuth and OAuth2 protocol for the various services like Facebook, Twitter, etc. I would to know if it is possible to detect which Service uses which OAuth from the backend programming and hence proceed to use the best suited OAuth 1 or OAuth 2 class library for the OAuth?
Thanks.
You have to read each service provider's(facebook, twitter, etc) API documentation and decide based on that