Reputation: 13367
web api authentication and ssl
I have developed a Web API project which has a token endpoint set up. I want to set up another site that calls this API so I have created this JavaScript function:
$.ajax({
url: "http://path.to.site/token",
data: {
grant_type: "password",
userName: "user",
password: "password"
}
}).done(function (data) {
console.log(data);
}).fail(function (errror) {
console.log(error);
});
Even with SSL enabled on both sites, if a user were to view the source of this site then they would be able to see the username and password. If I got the access token using server side code (PHP, .net or whatever) I would still have to pass the access token to the JavaScript API calls and again that would be readable.
I feel like I am missing something here, can someone explain to me what it is? :D
Upvotes: 1
Views: 85
Answers (1)
Reputation: 501
What you could do is use your server to generate a JWT when it generates your site.
In your JWT you could embed some claims about your site, and then pass the JWT as a bearer token from the client to your API. Your API would use a shared secret (that only your site and API know about) to generate the JWT signature to make sure if it is tamper proof while on the client. Using common JWT features such as exp, iat, and jti, you can secure this information even further.
I hope this help. I work for a company, Stormpath, who helps with these types of problems (API Authentication, User Management).
Upvotes: 1
Related Questions
- how to add Authentication to web api
- Web-api security: SSL?
- Authentication in Web API
- How to Setup Authentication for Web API?
- Web API Authentication with HttpModule
- Authenticating ASP.NET Web API
- How to require SSL for web API
- How can I implement Https/SSL connection on Asp.Net Web API?
- .Net web api, SSL + basic auth
- Authenticating via http using the web api in asp.net