Reputation: 271
REST - HTTPS is secure - why go for OAuth?
My app uses REST calls to fetch data from the server. To make the server calls secure, I googled and found out that OAuth is the best way to secure REST web services. But also it says that OAuth should be used with HTTPS.
If we are using HTTPS (which is a secure was to transmit data), why do we require to implement OAuth? Shouldn't HTTPS suffice?
Upvotes: 1
Views: 820
Answers (2)
Reputation: 16334
A typical REST API needs the following capabilities:
- Server Authentication - so the client requestor can verify the server. This is why browsers show a lock and display certificate information in the browser window.
- Client Authentication - so the server can authenticate and identify the user to grant and limit access as appropriate.
- Encryption - to protect the data from eavesdroppers.
While some simple APIs may not require client authentication, it provides two benefits that many REST APIs need:
- Personalized and private data: if the user has an account on the system and needs privileges to their account, but not others, client authentication is necessary
- Rate limits: even if there is no private data, services may want to differentially limit and/or charge for requests and a mechanism is needed to identify the user to limit and/or charge for access.
A typical REST API can support both Server Authentication and Encryption with HTTPS / TLS using a server TLS certificate.
HTTPS can support client authentication using a TLS client certificate, however, this is not commonly done. Some APIs such as the Visa API do this which is described here:
OAuth is much more common for client-authentication. OAuth further supports both 2-legged and 3-legged modes, the latter of which allows a separate service to perform the authentication. This is what enables login services such as those provided by Google and Facebook, so a site, such as Stack Overflow can delegate authentication to Google and then once the user's identity is verified, allow the user access permitted resources.
Upvotes: 2
Reputation: 13059
While Grokify's answer clarify some information, I like to mention a missing fact.
OAuth is based on tokens (ex:- Access token, refresh token). Think these tokens as username/password equivalent. So if these token get stolen, they can be used to call your API to obtain data. Or can be used for malicious activity till they expires. As you have figured out, TLS (HTTPS) protect data in transit. So when tokens transmit over such secure channel, you avoid tokens getting stolen. This is why TLS is a must for OAuth. OAuth get leverage of TLS to improve its security aspects.
Upvotes: 1
Related Questions
- OAuth or SSL for Web API
- Rest API under https security
- OAuth 2.0 two-legged authentication vs SSL/TLS
- API Keys vs HTTP Authentication vs OAuth in a RESTful API
- OAuth is not secure or I didn't understand it?
- Is HTTP basic authentication over SSL any less secure than 2 legged Oauth?
- Are OAuth2 and SSL enough to secure an API
- Does an OAuth 2 client really need TLS?
- Why should I use OpenID for Authentication rather than OAuth?
- Is OAuth irrelevant when HTTPS is used?