0

Our current RESTFul api has a 2-step process of authenticating and authorizing a Request:

1) We use JwT bearer token authentication (integrated with Identityserver 3) and we have implemented custom authorization using the database. All this over Https.

2) Next, we also have an IP address check, where we check the IP address of the incoming request and match it against a list of whitelisted IP addresses that we maintain.

Now, we are trying to get rid of the IP address way of doing the second level check and replace it with another way.

MY question is: Is HMAC a good candidate for that second level check? I am kind of hesitating as we already have the token authentication in place and so, was not sure if HMAC way of second level check will add any value to this, as a second level check. Also, was not sure how we can send both a token as well as a HMAC string as part of an Authentication header.

Can you also please let me know what are some of the good substitutes for IP address validation, as a second level check when we build a RESTful web api.

Thanks in advance!

-Ramp

Ram_P
  • 55
  • 1
  • 6
  • Take a look at this spec's draft: https://github.com/w3c-dvcg/http-signatures/issues/1 – Wiktor Zychla Mar 26 '19 at 14:14
  • Thanks @WiktorZychla! I will go through it now. Appreciate your quick response. – Ram_P Mar 26 '19 at 14:16
  • I am still unable to comprehend that spec completely. I think I am missing something. – Ram_P Mar 26 '19 at 14:57
  • Randomly adding checks here and there won't provide any security. Read this question and the accepted answer to get an understanding of the possibilities: https://stackoverflow.com/q/54258233/1235935 – Saptarshi Basu Mar 26 '19 at 18:32
  • Thanks @SaptarshiBasu! Will go through the questions in a bit. – Ram_P Apr 01 '19 at 15:25

0 Answers0