What are some ways to secure REST APIs?

Question

I have a situation where iPhone client Signs In with Google/Facebook

                   step 1
iPhone Client   --------——> Google/Facebook

Once Authenticated, client needs to get data from my REST APIs

                   step 1
iPhone Client   --------——> Google/Facebook
      |
      | step 2
      |
      V
  GET /transactions

Question

Since server is not aware if client is authenticated(Ideally client is authenticated), what are some ways I can secure my REST APIs to have confidence that it is reasonably secured against malicious attacks?
Also, I do not want to maintain user/passwords on server

Implement [OAuth](http://oauth.net/). – PM 77-1 Jul 15 '14 at 23:20 — PM 77-1, Jul 15 '14 at 23:20

score 0 · Answer 1 · edited Oct 07 '21 at 06:16

0

You need to look into OAuth2, which is created to authorise user and allow access to secured resources. Here are some useful links for the same:

RFC:

https://www.rfc-editor.org/rfc/rfc6749

One link that can lead you wherever you want to:

http://oauth.net/2/

edited Oct 07 '21 at 06:16

Community

1
1

answered Jul 15 '14 at 23:20

Juned Ahsan

67,789
12
98
136

score 0 · Answer 2 · answered Jul 15 '14 at 23:59

0

You can generate a key for each client in the response and when the client access (provide key in the request) the server again, compare if the key is a valid key in your key pool.

answered Jul 15 '14 at 23:59

sendon1982

9,982
61
44

Dont you think, Key can be compromised? – Pawan Jul 16 '14 at 09:03
It is possible. But there is no way to ensure total safe. – sendon1982 Jul 17 '14 at 04:18

What are some ways to secure REST APIs?

2 Answers2