REST API Public/Secure Architecture

Question

I'm designing a REST API that will have certain areas that are available for Public consumption, while others will be available for Private use (mostly admins).

For e.g. the Public API would allow displaying a list of Products without requiring the end user to authenticate themselves. As such, it is the web application (or the phone app) that authenticates itself to the API.

Whereas an Admin should be able to login, obtain an OAuth token and then execute certain methods.

I've designed the api using Web API2.0/C#, however, the principles remain the same. I'm currently using ASP.NET Identity and provide authenticated users with Access Tokens and Refresh tokens so that they can execute such non-public calls. If they don't have a token, they can't access the API.

How would I do this at the Public API level? Obviously, I want to authenticate not the end user, but the actual app itself even though the calls are public so that some random John Doe cannot just make public GET calls.

I do realize that we have Client Id and App Secret. Is that how people usually authenticate public calls? I'm worried that passing the Client Id and Secret over and over again in each call kinda defeats the purpose.

Any pointers on this would be highly appreciated.

Answer 1

Please read this article about RESTful web api that meets best practices:

http://www.vinaysahni.com/best-practices-for-a-pragmatic-restful-api#requirements

hope it helps

but as i realize from your question , you should seperate admin actions and user actions on the same model and make admin actions available only to him. do not share important actions with user and admin.