-2

I already Googled that, but I didn't found any answer that satisfy me, maybe because it's impossible.

I want to know if I can authenticate a website directly from JavaScript to a Symfony API rest. My goal is to create a script in JavaScript, which make ajax requests to the API (the API accepts cross origin requests) and get some data in the response, but the website(s) needs to authenticate with the API to get this data.

I can certainly use JSON web tokens or OAuth to make the website authenticate as a user, but in this case I need to have some script on the server side of the website and call it from ajax to get the website authenticate and return the token in the response. I don't want to store anything on the website, only put my script tag in the html, to facilitate the installation of the service(it's a widget) for webmasters.

I also know that I can do that with referrer authentication, but I will avoid that, everyone can change referrer in the request headers. I can also put an apikey in the link of the script <script src="mydomain.com/myjs.js?apikey=MY_API_KEY"> but everyone can access the apikey and use it from everywhere.

Is there a way to do that safely?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
ggirodda
  • 770
  • 7
  • 19
  • Why do you need code? It's jast a question on how I can authenticate a website against a symfony api rest without using server side script on website side – ggirodda Aug 28 '17 at 14:37
  • Can you please upvote my question? I really don't know why you need code, I don't will start to code if I don't know how to proceed – ggirodda Aug 28 '17 at 14:41
  • Why have authentication when it is just in a js script then anyone can just take whatever credential you have in the script using browser dev tools? Defeats the purpose. – Andrew Nolan Aug 28 '17 at 14:58
  • Because I want that only aythorized websites have to get datas from the api, not everyone – ggirodda Aug 28 '17 at 15:06
  • for now I use referer authentication directly in the symfony listener, but it's cheap – ggirodda Aug 28 '17 at 15:08
  • I don't understand why so many downvotes, ok my english is very bad, but I think that it's a normal question. Maybe I have to explain me better? – ggirodda Aug 28 '17 at 15:14

1 Answers1

0

After some research I think the only solution is what I already done, apikey-referrer authentication:

How to keep API keys secret when using client side Javascript?

How does Google Maps secure their API Key? How to make something similar?

ggirodda
  • 770
  • 7
  • 19