4

I have a REST API written in PHP(Slim framework) and my API contains some admin routes for managing private data. I've implemented oAuth2.0 for authorization(this php implementation).

I like to use AngularJS for creating an admin webapplication so users can manage their own data.

I'm now using username-password flow but i'm reading that this is not secure because my webapp exposes client_id & client_secret.

I also looked into implicit grant ( designed for public clients) but it says that it should be for read only purposes.

I also want to use this API for supplying data for mobile apps. Users don't have to sign in for this but data isn't public.

Which oauth grant is suitable for this scenario / setup?

Daan Geurts
  • 431
  • 3
  • 19

4 Answers4

3

I know I'm posting Python to a PHP question but it's not about the code. The example (http://python-eve.org/authentication.html#auth) explains in detail what auth methods are available for a good REST API and it might be useful for your application.

Romeo Mihalcea
  • 9,714
  • 12
  • 50
  • 102
3

Take a look at Resource Owner Password Credentials Grant. Which is the 4th bullet point in the second link that you provided. password (user credentials)

https://www.rfc-editor.org/rfc/rfc6749#section-4.3

Simply put:

  1. User sends their login and password
  2. Server grants user access_token (equivalent to the old cookie session id)
  3. User sends access_token with the remainder of their requests

Also, If you want to give mobile devices access while keeping data private i'd suggest generating "free" accounts linked to mobile mac addresses. Then have them go through the above said authentication with their mac address as login / password as empty. That way you can implement the same user logic to mobile with throttle/ban/upgrade/etc per device.

Community
  • 1
  • 1
Travis
  • 636
  • 8
  • 11
  • Is this the same as the username-password grant? I don't think it is, I think this is where there is a single username and password (i.e. the resource owners password) and it's not suitable. The key phrase being this grant type "is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application". A javascript application doesn't have that trust relationship, it can't be trusted. – BenCr Jun 04 '14 at 10:23
  • The difference between the two is `Resource Owner` and `3rd Party`. For example, if I'm trying to log into facebook directly I am the resource owner. However, if some 3rd party is trying to log in with my credentials this would require an addition client_id/client_secret to validate said 3rd party. – Travis Jun 04 '14 at 15:14
  • So for resource owner password credential grant I don't have to expose client id & secret if I'm the resource owner? – Daan Geurts Jun 04 '14 at 15:48
1

If you're not happy with implicit or username-password that leaves client credentials or authorization code.

Client credentials is not applicable in this situation because it's not possible to secure the credential in a javascript application running on a browser (it might not even be possible to use the client credential if you're talking about a certificate).

So Authorization Code is your only option.

However, you can't secure the client secret in the authorization code flow.

Implicit is really your only OAuth2 option for a browser application. There is a section in the OAuth threat model discussing the potential issues and mitigations. https://www.rfc-editor.org/rfc/rfc6819#section-4.4.2

Here is another question about the security implications of implicit grant. How secure is Oauth 2.0 Implicit Grant?

Community
  • 1
  • 1
BenCr
  • 5,991
  • 5
  • 44
  • 68
  • Well my concern is that username-password is also not secure because client id & secret are exposed through the source of webapp ( angularjs only )? – Daan Geurts May 30 '14 at 05:57
  • I didn't look at the username-password flow because you'd already said you'd ruled it out. – BenCr May 30 '14 at 11:56
  • Here's a quote about username-password flow from http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#user-experience-and-alternative-authorization-flows "the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected.". It doesn't seem terribly secure, OAuth is supposed to prevent you having to collect and send the users credentials around but username-password does exactly that. – BenCr May 30 '14 at 14:13
  • I'm not sure if you followed that previous comment or not. The username password flow doesn't use a client id and secret so it can't be exposed through the source of the webapp. – BenCr Jun 02 '14 at 13:24
  • Well the php implementation i use needs client id and secret for resource owner password credentials grant and for what i've read it needs this for client validation – Daan Geurts Jun 02 '14 at 14:25
  • That's not username-password grant thought is it? "The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. " – BenCr Jun 03 '14 at 08:23
  • And what should i use for my mobile apps where an user doesn't have to login to view data? The data is supplied by the same API – Daan Geurts Jun 04 '14 at 12:02
  • Are you asking me what authorisation mechanism you need to use when you don't need to be authorised? – BenCr Jun 04 '14 at 12:08
  • The logic of how you apply your authorisation is really beyond the scope of any SO question. You could argue that if the data is okay to be viewed anonymously from one client then it should be the same for all clients. However if that's not the case you might want to create two endpoints, one with auth, the other without and reuse the business logic behind those two endpoints. – BenCr Jun 04 '14 at 12:13
  • Well maybe my question is not clear enough or i don't understand your answer. I have one api with admin endpoints and endpoints for mobile apps. None of the endpoints should be public. The admin endpoints need to be accessible for real users through a webapp. The mobile endpoints shows the nearest locations but should not be public visible but only via a mobile app but without user login. – Daan Geurts Jun 04 '14 at 15:36
1

Since Stack overflow is dumb I can't comment since i don't frequent this site. However before I can offer a solution I am wondering what situation you have that required a user to not be logged in to update data?

michael.schuett
  • 4,248
  • 4
  • 28
  • 39
  • My API has 1 section for mobile apps which should only be visible for android and ios app and requires no user login. And it contains some admin endpoints for us / partners to update their data via angularjs webapp – Daan Geurts May 30 '14 at 05:59