Reputation: 19294
RESTful Architecture Authentication/Authorization Strategy
I'm working on creating an app using Angularjs and Node.js(hapijs specificially).
I'm trying to determine a good authentication and authorization strategy for a RESTful type of architecture like this.
I've spent a lot of time reading the net about this and I came up with a diagram on what i'm proposing doing for my app. I'm wondering if there are any glaringly obvious holes in this model or what I could do to make it even more secure.
This is assuming all traffic is running over SSL. I also can't use SAML or OAuth or anything like that at the moment because this is for an internal application.
Upvotes: 0
Views: 584
Answers (2)
Reputation: 9446
What are you using for the service side here? Is this all directly in MongoDB? If not, your application layer almost definitely has better session management than you will be able to write. I would highly recommend you investigate what your platform provides out of the box before you try and write your own.
Upvotes: 0
Reputation: 29073
On the second diagram, use 403 for the authorization error and 401 for unauthenticated - that way the client can know which code path to take in handling the error.
It's not clear what the first diagram is showing - if thats the browser requesting the HTML page, you need to return a redirect rather than a 401... the browser won't know what to do with 401. If that's a call to some /login API, it's fine.
Upvotes: 2
Related Questions
- RESTful authentication API design
- RESTful Authorization
- login in REST web service
- Restful web service authentication
- Online application with RESTful webservice design
- End user authentication for RESTful web services
- Design a RESTful authentication API
- How to secure RESTful web services?
- What is the correct way to authorize and structure a RESTful backend
- REST Service design for Authentication