stackoom
  简体   繁体   中英

How do I secure an API that is used in a JavaScript/Ajax client [apigee]?

 原文  2013-11-15 16:30:14       javascript/ ajax/ oauth-2.0/ apigee

Question

I am using Apigee as a proxy for a private REST API which allows basic CRUD operations on my database. The front end developer wants to call my API directly from JavaScript/Ajax so I can't use a basic API Key authentication because anyone could view the source of the JS and invoke potentially destructive methods on my API (I'm a away of origin policies in browsers but that wouldn't prevent someone doing a curl and invoking my API outside of the browser).

What is the best approach? Can the UI developer use OAUTH in some way to obtain an access token for each session once the user is authenticated and use that in his Ajax calls? But even then, couldn't that user view the JS source and do something nasty via curl?

Thanks in advance!

2 answers

solution1
 1  2013-11-15 19:31:27

OAuth v2 should solve your problem. There are multiple articles and resources on the Apigee web site which discuss when it is best to use OAuth v1 vs. OAuth v2. http://apigee.com/docs/content/apigee-oauth-frequently-asked-questions , a three legged OAuth strategy may work best for you: http://apigee.com/docs/gateway-services/content/oauth . There is an example of that on the Apigee web site.

solution2
 0  2013-11-15 16:38:44

So you want to authorize a visitor to your 3rd party site, and make sure they can't do anything abusive?

There is no security model for this. Once you authorize the user/session/browser it's free game, he can do whatever he wants.

So take a step back here, what abuse to do you want to prevent? Maybe you want to prevent unknown 3rd parties from using your service. In that case you can set up API key authentication underwater which gives you a temporary session key.

There are 3 parties. The user (u), the 3rd party (3) that uses your API, and you (y).

  • u requests a session key from 3
  • 3 does an underwater request to y with his API key
  • y verifies the API key and sends back a session key to 3
  • 3 hands the session key to u
  • u does the service request to y

If 3 can never obtain a session key your service is safe against unknown 3rd parties.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In Apigee, how to assign a value to a variable in Javascript to be used by the Statistics Collector policy? Instantiate Apigee.Client With JavaScript How do I replace json property value in multiple places using JavaScript in Apigee How do I use AngularJS with Google API JavaScript Client? How do I get the data from API using Javascript and Ajax? How to secure an API used only from front-end (Ajax call) APIGEE client.loginFacebook how to overwrite userid generated by apigee How do I call 2 endpoints with one proxy in Apigee? How do i secure a REST API with google authentication How do I secure an AWS API Gateway with Cognito?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM