Reputation: 413
Authentication for a publicly exposed REST endpoint
I am creating a REST service which would be public facing ( Behind AWS API Gateway) and to be accessed from our web app from browser. This service would accept and process sensitive user data, so we need authentication on the endpoint.
I thought about using OAuth but it could mean exposing client secret, client Id to the browser, which we want to avoid.
Also, ours is a legacy web application which uses simple form authentication and we don’t intend to change it for this requirement. So we don’t have option of integrating OAuth with our login process and using login user token for our purpose.
Can someone please suggest good ways of authenticating the service in this scenario.
Upvotes: 1
Views: 571
Answers (3)
Reputation: 29208
My preference is Dominic's option 1 above, to get the new component - the REST API - future facing:
Web back end uses client credentials grant to get an access token from Cognito
Web back end needs to send the token to the API - along with an additional parameter to identify the end user
API security model is to validate Cognito access tokens and identify the user
Cognito is a new component to understand and look after though - so depends if this fits with your company's longer term strategy.
Can advise on the tech integration if you decide on this approach ..
Upvotes: 2
Reputation: 153
You are already aware of the fundamental security problem in your scenario - a client-side app will expose secrets when it connects to an external secure service. There is currently no strategic way to authenticate securely in the public domain (a user's browser) to a private service.
Your options are as follows:
Implement a secure delegate endpoint into your legacy webapp to invoke your secure requests for data, which acts as a delegate to the AWS API gateway. client side UI -> server side app endpoint -> AWS API gateway
deploy your legacy webapp and a new rest app together on the same application server infrastructure, whereby they are sharing the authenticated session
Upvotes: 2
Reputation: 1373
If you are already having a form based login, you can use same username password based basic authentication for your rest endpoint. See a sample below to configure it
@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception
{
httpSecurity.authorizeRequests().anyRequest().authenticated();
httpSecurity.formLogin().loginPage("/login").permitAll();
httpSecurity.logout().logoutSuccessUrl("/logout").logoutSuccessUrl("/logout-success");
}
}
Upvotes: 0
Related Questions
- Spring boot Client to invoke REST API secured by OAuth2
- Authentication between microservices: Amazon API Gateway
- Authentication and Authorization for API Gateway
- AWS api gateway with oauth2 and spring security
- How to expose endpoints with spring boot and oauth2
- Spring secure endpoint with only client credentials (Basic)
- Spring Boot Secured Rest API
- Spring oauth2 : Access any resource server endpoint without Authentication
- Authorization Server
- Secure REST services using OAuth with Spring Boot?