rest - Multiple authentication levels in a RESTful API -


scenario

we building new restful api our web application. api serve our mobile applications, our web application , authorised customers.

we using apigility build api , making use of oauth2 implementation provides.

currently, our web application relies on users table, permissions assigned each user. these users log-in using web form, , session stored , appropriate permissions checked upon access.

we want able authenticate api access (such our web app, , authorised customers), no unauthorised access api can happen. however, want authorize permissions @ user level, therefore sort of user authentication must happen well.

any authorised access api may use different user, relying on single user per client not work, since permissions on per user basis. not want user able use api without prior authentication, wanted avoid adding every user client oauth2.

for example:

the web app authenticated api 2 users using it:

usera has user management permissions

userb not have user management permissions

therefore, usera can post /users , receive 200 ok while userb should receive 403 forbidden.

what have tried

we have created example application, , have set authentication using oauth2 high-level clients , can make calls expected. have not been able create authorization model our users based on this.

we though adding custom http header user token provided after authenticated call /user/login. not sure if correct method.

the question

how can both authenticate high-level clients (such our web app, or authorised customers) authorize access based on user using system?

you have few options available you:

token-level permissions

you can provide different tokens each user account, , tie permissions token. runs risk of wrong tokens being mixed wrong users. however, has advantage of not having maintain user<->token relationship, permission decided @ token level. how decide token generate can tricky.

user-level permissions

you can tie user account token , user can given read/write permissions. reduces risk of user having wrong token they're linked. method, can use same method of token generation user accounts token ignorant of permission, allow them "access" api (thus preventing unauthorised access).

i've deliberately avoided mentioning specific types of authentication tokens, these 2 concepts can apply of popular choices on web (token-based, oauth based).


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^
Read more