2

(I know very little about OAuth, so please bear with me).

I have a backend system which is meant to be used by other companies through a REST-ish API. I added Basic Auth and I now need to check credentials. I thought of using OAuth so I can spare my company resources by letting our partners manage their passwords themselves.

Since this is a RPC API, it needs: 1. No human interaction 2. Needs to be fast (e.g. check against a in-memory cache)

Should/can I use OAuth for that? If not, what are the options?

Igor Gatis
  • 4,648
  • 10
  • 43
  • 66

1 Answers1

1

Basic authentication is not a good authentication scheme for REST-ful APIs (see here for more info).

Using the OAuth2 security protocol does not spare your company from managing passwords per se. You could use a service like Azure AD (which supports OAuth2) and build a multi-tenant application. This would let your users sign in with accounts from their own Azure AD directory (which they manage themselves).

When you say RPC API, are you then talking about SOAP services, or XML-RPC services? I'll assume you meant the latter.

Several security protocols that use bearer tokens have the characteristics you are looking for. The service receiving the token only needs to validate the digital signature to determine whether it can trust the token. This is a very fast operation. No communication with the issuing authentication service is needed.

OAuth2 is certainly a protocol that would fulfill these requirements. Which grant flow you want to use depends on your client application. I explained the different grant flows here.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93