API Authorization Strategy

Question

I have a web application in node js that consumes an API for certain aspects of the content of the website e.g news. The API is written in node.js and points to a mongodb database.

I would like some advice as to the best authorization strategy for this type of requirement. I don't really need a user-name and password solution (I don't think). Some sort of static token that the web app can pass to the API so that only applications that have this token can browse the data returned by the API. I mainly want to stop just any old application consuming the API.

Answer 1

Here is best blog that can help you how to authenticate the REST Api in node js with the help of Basic HTTP Authentication, Oauth1 And Oauth2

https://stormpath.com/blog/secure-your-rest-api-right-way

Basically there are the three type of authentication that generally used

• Basic Authentication
• Oauth1.0a
• Oauth2

Http Basic Authentication

• More convenient, as you can easily expire or regenerate tokens without affecting the user's account password.

• If compromised, vulnerability limited to API, not the user's master account

• You can have multiple keys per account (e.g. users can have "test" and "production" keys side by side.)

Oauth1

OAuth 1.0 requires client to send two security tokens for each API call, and use both to generate the signature. It requires the protected resources endpoints have access to the client credentials in order to validate the request.

Oauth2

OAuth 2.0 signatures are not required for the actual API calls once the token has been generated. It has only one security token.

Here describes the difference between OAuth 1.0 and 2.0 and how both.