Reputation:
Openid and RestFul API
My website have a Restful API, with authentication needed. When a user log-in in website, it's performed a HTTP Basic authentication (username and password), and is returned a access token generated in API.
But recently I have implemented steam login (Yeah, steam can act as an OpenID provider). Everything okay, but How can I auth the user on the API, if no password is sended.
Upvotes: 6
Views: 1162
Answers (2)
Reputation: 2166
So basically you want to make sure that the user is authenticated. Here Steam provides your server with a key (OpenID server) and your server has provided a key to the OpenID server. This is very similar to tokens used for Anti-Forgery attacks. Steam provides your server with the user's identification and your server notes down Steam server's location. Then the user is allowed to view your server`s content. Steam surely uses an API so if credentials are cached in the browser well it won't ask for them in the future.
Note: HTTP is stateless so you have to use sessions to make sure that a user`s is still logged on.
Upvotes: 2
Reputation: 16375
You don't need an username and / or password to authenticate an user that login into your site using an OpenId provider (Steam, in your case). What you need is to trust in this OpenId Provider.
This is a very good definition about OpenId by John Christopher Jones in a blog post:
OpenID is an authentication strategy where an unauthenticated user visits your site then authenticates themselves by logging in to Google, Twitter, Facebook, Steam, or some other OpenID provider. Your server (the OpenID Relying Party) exchanges keys with the OpenID Provider (Google, et. al.) then sends the user over to the OpenID Provider to log in.
After the user logs in with the OpenID Provider, the user is sent back to you with some information identifying who they are, signed by the key you exchanged with the OpenID Provider. You can trust their identity at this point and start "logging them in" to your own system based on their identity.
The image bellow shows the OpenId Flow:
As you can see, after verify credentials, the OpenId Provider (Steam) will send back the user to your website, including credentials in the URL. With these credentials in hands what you need to do is:
- Verify if a user associated with this credentials already exists in the database. If not, create it.
- Create a API token associated with this user.
- Send the API token for the user waiting on the browser (your client app that consumes your RESTful API).
With this API token in hands your client application can add these token to every request to your RESTful API, as the same way that an authenticated user with username and password would do. Note that your token generation strategy can not be dependent of a username and password.
Upvotes: 2
Related Questions
- Login with Steam OpenId(oidc-client-js)
- Steam API Authentication
- Authentication for REST web services
- How to write Rails API for steam openid login and authorize feature?
- ASP.Net Core OpenIdConnect Steam
- Steam OpenID API
- OpenId via Curl
- OpenID in backend REST API
- OpenID authentication and API access
- How to use OpenID in RESTful API?