Reputation: 1297
Auth server for multiple APIs
So I am creating multiple REST APIs and I want a single auth server (API) for all these services to avoid creating multiple logins on every new app.
What technology would be the best for this? An oauth server?
I would also like it to be able to separate users based on the API and share if I want. But always have that single auth server doing its thing so I don't have to create separate login systems every time.
I also need "non user input" access for machines that use API keys to get data. But I guess the user would only need an interface to generate the first consumer keys and then use it in their app. Basically a token without expiration?
The flow I envision is something like:
- API consumer calls the API proxy which calls the Auth API to authorize the user and return a access token and the access token is stored on one of the resource API server
- API consumer calls the API proxy which now calls the resource server, checks for valid access token and returns data, but this time it does not call the Auth API so I don't have to make two calls for each request internally.
Is this a good approach?
On top of this I need my actual websites that consume the APIs without user login/interaction except browsing to access the API somehow, can oauth still do this? How do I authenticate my own public apps/websites on the API? Should I pre-create oauth access tokens without expiry dates?
I do NOT intend users to login with facebook, google accounts etc. I just want the global login for my company users on multiple services and logins for API consumers stored in a single place.
Oauth, SSO/CAS?
Upvotes: 3
Views: 2280
Answers (2)
Reputation: 119
You can use OAuth20. Its main idea is exactly what you need. Your users will pass their username and passwords once, then your API consumer app will obtain an access token(type=password) from Authorization Server. All subsequent calls to your API will use access tokens. You can register different API consumer apps with different client credentials. These client credentials should be used each time an user access token is generated, i.e. the generated user access token will be issued for a specific API consumer app. Also, your API consumer app can obtain access tokens(type=client_credentials) in order to use some part of your API that is not related to a specific user. Every API consumer app may have different scope/s that are bound to different part of your API. In other words, the scope defines what part of your API is available to an API consumer app. About token expiration, you can use longer time for your API consumer app access tokens and refresh token mechanism for user access tokens. For additional details, take a look at OAuth20 specification - https://www.rfc-editor.org/rfc/rfc6749.
Upvotes: 2
Reputation: 13682
SSO/CAs is overkill unless you want to federate with other Identity Providers and/or Service Providers. OAuth can handle what you've described.
Upvotes: 0
Related Questions
- Multiple authentication servers for my OAuth 2 resource server
- Authorize different API endpoints via oauth2
- Separate authentication server for users and APIs
- What OAuth flow to use for Multiple APIs
- OAuth 2.0 with a single server
- OAuth 2.0 Authentication Server with multiple Resource Servers
- OAuth for an API used by multiple services
- OAuth2 - Securing multiple webservices' APIs with one token
- Can I log my users in to multiple services with OAuth?
- How to do OAuth using more than one provider at a time?