6

I want to build a token-based authentication to my web APIs to let 3rd party applications access those APIs.

No user interaction, no delegation, the roles and the connected applications are managed manually from a management portal.

With those requirements, what's the best practice to acquire the jwt token?

Do I need a protocol like OpenID or OAuth2, or simply, expose an Endpoint that takes an APIKey and it will return a security token if the APIKey is valid?

Homam
  • 23,263
  • 32
  • 111
  • 187
  • The best way is to share secret key with 3rd party application and 3rd party itself to build JWT from their side based on secret key, your api just verify the token. – cuongle Feb 08 '17 at 14:01
  • @CuongLe could you please add your comment as an answer to discuss it? – Homam Feb 08 '17 at 14:17
  • Does my comment really solve your problem? – cuongle Feb 08 '17 at 15:08
  • If you need to connect 3rd parties, you probably want a "standard / defacto" system, not a custom one. Also, a requirement for app-to-app vs end-user-to-app is fundamental when you design your API (two-legged vs three-legged OAuth2, etc.). I suggest you take inspiration from google's way of doing things: https://developers.google.com/identity/protocols/OAuth2ServiceAccount you only have the client side (json/rest), but it can give a good understanding on what you should do on the server side. – Simon Mourier Feb 15 '17 at 07:23
  • @SimonMourier Thanks for the link. My scanrio is to login on behalf a user, but with server to server authentication. OAuth2 and OpenID seem to be great when there's a user approvment to access to his/her data – Homam Feb 15 '17 at 18:11

3 Answers3

6

First, I want to explain the difference between OAuth and OpenID. User adrianbanks contrasts the two well in this answer. To summarize, OpenID is about authentication - proving who you are. While OAuth is about authorization - do you have access to the functionality, data, your application. Now, back to your question.

Whether you need OAuth or not, you should look into the OWIN (Open Web Interface for .NET) Middleware. We are currently using OWIN to implement our own open API with its OAuth 2.0 Authorization Server functionality. However, OWIN is not limited to implementing an OAuth authentication server. Definitely give it a look to see if it can be fit your needs.

For your case, implementing OAuth 2.0 might not be necessary; however, it is what I am recommending. For this problem it is a good, secure solution. Not only will it solve this problem, but in the future, if you want to allow users to authorize third-party integrations, OAuth - the more secure option - will already be implemented.

If you will not have users using third-party integrations, you can use API keys. As long as you implement it in a secure way, this is a good option. If this is more of what you are looking for, read this post about using API keys to securely authenticate (and authorize) third-party applications for an ASP.NET Web API project.

Community
  • 1
  • 1
M. Carlson
  • 788
  • 7
  • 17
  • The last link is broken. http://bitoftech.net/2014/12/15/secure-asp-net-web-api-using-api-key-authentication-hmac-authentication/ – codah Jan 22 '19 at 00:14
2

So, I understand that your requirement is a machine to machine communication. If Yes, the easiest way is to implement "Client Credentials Grant flow of the OAuth 2.0"(refer : documentation).

The above method is suitable only if your data does not contain highly sensitive data.

Other option would be to implement a whole Authorization server either using own code or using 3rd party frameworks and follow the "Authorisation Code Grant flow of OAuth 2.0" (refer : documentation).

This option would be expensive and I recommend the first one.

Community
  • 1
  • 1
Jose Francis
  • 950
  • 13
  • 28
  • In Grant flow, should the client_credentials be username/ password or client ID / client secret, or anything like apikey ? – Homam Feb 15 '17 at 18:14
  • username/ password for Authorisation Code Grant flow and client ID / client secret for Client Credentials Grant flow. It is well explained in the RFC doc link mentioned in my answer. – Jose Francis Feb 16 '17 at 06:24
1

I would recommend havind a separate Authentication Server, such that your Administration, Authentication and Authorization is kept separately from the Logic/UI.

A good practice is https://github.com/IdentityServer/IdentityServer3.

VladimirBadiuk
  • 21
  • 2