5

I have a rest api backend service A which is used by two other services:

  • B service which is web app running in a browser (separate node server)
  • C service which is also backend service (separate server too)

My initial approach was to use basic auth for A-B communication but this does not make sense for A-C since there is no way to safely keep credentials in a browser. On the other hand introducing session and tokens seems weird for A-B communication.

No matter what I do it seems like tug of war.

What do you think might be reasonable solution for such setup?

Jakub Dziworski
  • 394
  • 3
  • 10
  • I tink you could try to use Oauth2 https://oauth.net/2/ authentication. In simple words: the autenthication generates a token. This token can then be used from the clients to authenticate the user/client without passing arround username and password. – code4fun Mar 07 '17 at 06:42

2 Answers2

0

You need at least SSL for A-B and then only you can judge if basic auth works or not.

If C is going to use the same APIs as B then it makes sense to use the same authentication methods, just for simplicity, IMO.

You could also use a token based auth mechanism where each service (remote or local) authenticates and gets a token and uses that for subsequent communication.

See the following for more:

REST API Token based authentication

Community
  • 1
  • 1
darkstar
  • 157
  • 9
0

You can refer to AWS API Gateway for clues on how to implement authentication for REST APIs. https://aws.amazon.com/api-gateway/faqs/#security

Summary:

  1. Access Token
  2. Custom Authentication
  3. Enable CORS
  4. Client side SSL certificate based authentication
Sunny Tambi
  • 2,393
  • 3
  • 23
  • 27