We are building a large web api (200+ calls). After it got so big, we separated it out into multiple smaller api's. This made sense because we had multiple products that the customer might not have purchased.
So we now have an api per product, however, each api needs the same basic architecture - the connection to the database and all of the custom logic for authentication and retrieving tokens needs to be the same for every api. We do not want them to have to get a new token for each api.
We thought about a gateway api, but we are using swashbuckle\swagger and I don't see a way for that to work with the gateway.
The current plan is to make a token api that does all of the token and authentication. The user would call the token api to get a token, and then, when the user calls each of the product apis, those apis would then call the token api to validate the token. Is this good idea? I'm worried about performance of the api when calling another api. We have a mobile app that will be hitting these api's heavily, along with normal customer usage.
Related
I decided to try for the first time to implement a microservice architecture instead of a monolithic one and ran into an authorization problem.
In a monolithic architecture, I simply passed the token in the header when accessing the controller on which the [Authorize] attribute was hanging and checked it against the current single database. But in the microservice architecture, each microservice has its own database, how you can check the token when accessing other microservices, I have heard about the implementation of the check in API Gateway, but I think that, anyway, each microservice should have its own check, since, there should be no access to the api if the user is not authorized.
Should I use api gateway to make a request to the authorization microservice for verification?
How can I implement this?
I have a separate microservice for user authorization (registration, login, issue of tokens) which has a database of users with tokens.
That is, I need to make a request to this microservice using API Gateway?
One way -
You should try to do authentication/authorization at API Gateway level. Whenever any API call come to API Gateway that needs some permission then check the token. If the access/token is not present then return 401. On frontend, if you get 401 then do authentication at UI.
2nd Way -
UI pass token to API Gateway that will further send the token to other microservices.
It depends on, how grain level of permission do you need. If it is at very grain level, then go with 2nd else go with 1st.
I'm building a web API to allow some of our systems to raise incidents in our incident management system. I am fronting an AWS API Gateway for this purpose. I want to ensure the API calls are authenticated and require a valid IAM user. I am comfortable with C# / .NET Core, and have read up on using signature v4 to sign the requests. What I can't work out and need help with, is whether the client has to actually sign the requests themselves in the JSON payload being passed to the API Gateway, or whether they can pass the IAM access and secret key only, and then I do the coding to sign the request? I'm concerned that the third party systems won't have the developer knowledge required to sign the requests. They could pass in the IAM user and secret key easily enough, but not sure if they can actually do the signing themselves.
To give some background, bear with me,
We have an existing external OAuth service that is used for shared authentication across all of our apps. It has a login form that is used for user auth and provides JWTs for its APIs, which are called in the app I'm currently working on.
The app I'm working is using .NET Core 2.0 with a React front end. The server side is basically responsible managing the token for the external APIs, and providing 'proxy' APIs for the React client to call, which then in turn call the external APIs. Essentially the architecture is like any other standard Web API/MVC app, but instead of grabbing data from a database directly, it's just calling some other external APIs.
In the context for the .NET Core app, it is using JWT authentication for it's APIs. Once the user has authenticated with that external service, they will have a JWT for the external APIs (stored in session) and another JWT for the internal 'proxy' APIs (passed to the client in a cookie). So the client makes a call ("api/users"), that gets routed to my controller, authorized using JWT, that controller makes a call to some UserService, which uses the JWT stored in the session to make a call to the external API.
React client makes API call with token --> .NET Core API grabs JWT stored in session --> uses JWT to make call to external API
This all works fine, but now I'm running into some issues with refreshing the client JWT. I'm currently passing just the an access token to the client in a cookie, but I need to also pass a refresh token to the client so that it can grab a new access token when the expiration time has passed, which I'm not currently doing. I also need to somehow pass the expiration time of the token as well. Does it make sense to serialize all of this into a JSON object and pass that in a cookie? What would be a good way to get all of this to the client? I'm essentially trying to get to a point where the client will check, "Has my token expired yet?", if yes, use the refresh token to get a new one, if not, continue with the API call.
Sorry if all of this information is an overkill to a simple question, just trying to give some context.
If you are using Identity Server, you can check the refresh tokens here
I fear that the answer to this is that this is no longer supported, but I'm trying to find a way to use Application Only authentication against the LinkedIn API.
The application is running as a Hangfire job (and therefore, without user interaction), with a view to querying the LinkedIn API and pulling in some basic post information from my own account.
I'm having trouble finding a library or even a method to authenticate with the API with just my Client ID and Secret (for example) without having to redirect a user in order to get an access token.
Does anyone know if this is still possible?
I currently have a web api 2 project acting as my applications middle tier. I need to secure this project as well as provide an authentication service for my MVC project and potentially iOS and Android applications.
The web api business logic requires the checking of the user permissions/roles to ensure security, the mvc project requires the same functionally to ensure the request to the controllers are valid. How do I do this using Asp.net Identity or some other means? Are there any reference projects for this sort of thing?
Some good info here:
http://www.asp.net/web-api/overview/security/authentication-filters
Another way I've seen it done is have a separate API to generate access tokens for a 'transaction' using whatever credentials you want to use...but usually done via https! This token is then passed by the client to the business layer API as a parameter. Various checks can be carried out on the token e.g. Same client that requested token? Token expired? Token already used? Etc
Let me know how you got on.
Thanks.
UPDATE
Web API Security with local accounts:
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api