0

I'm pretty new to REST security and am trying to build an AngularJS (Angular 1) app that integrates against a RESTful web service as its backend. This web service will be how the app (frontend) fetches and writes all data.

The app will initially be the REST service's only client, but eventually I'd like to open the service up as an exposed public API, not only used/consumed by my Angular app.

I'm trying to figure out how to build an authentication/authorization solution for my REST service and there's a few things I'm unclear of. I want both the Angular app and its backing REST service to have their own authentication/authorization models (I think -- I can be talked out of this).

  • Does the Angular app ship with its own "service user" and credentials for integrating with the REST service? Something like username of myapp-client with its own password?; or
  • Does the Angular app "forward" user's credentials onto the REST service?

In the first case, like I said the Angular app might ship with credentials hardcoded into it for integrating with and connecting to the REST service (again as an example: username: myapp-client, password: 12345). I think this is simplest but then (very likely) exposes these hardcoded credentials in the browser/frontend code and then any script kiddie under the sun has the username + password to access my entire REST API.

In the latter case, I think the Angular app has to act as some kind of middleman where the user:

  1. Is anonymous and gets routed to the login screen
  2. Enters their own credentials (username: smeeb, password: 23456)
  3. Authenticates (somehow both with the app as well as the backend)
  4. Obtains some kind of bearer/JWT/etc. token and then all subsequent HTTP requests to the Angular app use this valid token (but again the app is just acting -- somehow -- as the middleman between the browser where the token is stored and the REST service)

I guess I'm looking for confirmation that my suspicions about the former solution (1 service user that the app uses to integrate with the backend) exposing credentials in the browser and that the latter solution is the way to go. Also looking for confirmation as to whether JWT is a way to implement the latter solution or if I need to go with OAuthv2 or something else.

smeeb
  • 27,777
  • 57
  • 250
  • 447

1 Answers1

1

When you need to authenticate an Angular app over a REST API, the steps are as follows.

  1. User enters the username/password to the Angular app
  2. Angular App sends those data to the REST API
  3. If the credentials are correct, REST API returns a JWT to the Angular app.
  4. For each subsequent request to the REST API which requires authentication, Angular app passes the JWT with the request.
Ishan Thilina Somasiri
  • 1,179
  • 1
  • 12
  • 24
  • Thanks @Ishan (+1) - should the Angular app hit a "logout endpoint" on the REST API when the user goes to log out of the app, or is it sufficient to let the JWT expire on the server-side? – smeeb Dec 30 '17 at 04:29
  • That question has already been answered at https://stackoverflow.com/a/23089839/1281089 . According it , you can either Simply remove the token from the client, Create a token blacklist, or Just keep token expiry times short and rotate them often – Ishan Thilina Somasiri Dec 30 '17 at 04:54