Restrict API Usage

Question

I want to put a restriction on my API so only registered users can use it on their websites. The javascript will be used on their website by pasting it into their html. Right now I use a token for each user but it's visible to the public on their site so anyone could copy it. It tracks usage but doesn't restrict it to only their site.

My first thought was to get the HTTP_REFERER variable from the http headers on the server and make sure it's from the domain registered by the user. This won't work because HTTP_REFERER can be blank or changed.

My second thought was to use JavaScript in the pasted script to get the document.location and pass that back the to server. That can also be tampered with so it is unreliable.

I'm looking at OAUTH2 now as a solution. I don't know much about it besides it's used for SSO. Looking at this JS OAUTH2 Lib too: https://github.com/andreassolberg/jso Could they be used for what I need to do?

One requirement is that the script is pasted into the HTML. There shouldn't be any other configuration on their site that needs to be done.

What other solutions are their for this?

Arturo Soto · Accepted Answer

There shouldn't be any other configuration on their site that needs to be done other than pasting your javascript ?

Well, then probably OAUTH2 is not what you are looking for, OAUTH adds the concept of an authorization server to your web API and the complexity increases.

http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

if you are not looking to authorize users but just identify domains that can consume your api from javascript, enable cors and add an attribute to specify which origins are allowed to access the resource. Example :

http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

Thanks.

Restrict API Usage

Answers (1)

Related Questions