API registration and authentication service

Question

I'm working on an API registration and authentication service application using python. Developers will be able to register their application (domain name of the application) and a random API key will be generated for the registered application.

Next, the registered application will send the API key to the API service with each API request. API server will authenticate the domain of the incoming request with the passed API key to confirm that the request is valid. I'm using Forwarded Host to validated the domain name of the API request, however it doesn't work as in some cases (when the opened page is the first page), Forward Host comes blank.

Are there a better approach to authenticate the request or any changes required in the API registration process to reliably authenticate the request? Some pointers will be helpful.

Answer 1

Using Authorization proxy

Samples are "3scale.net", offering free tier, other commercial solutions exist too.

Open source solution I am aware of is ApiAxle , which is much simpler, but still very useful.

The proxy takes care of managing access keys and forwards request back to real application only in case, it is really to be served.

Using Authorization service

Another solution is to have some internal service evaluating set of client provided keys (providerid, appid, accesskey, ...) are authrized or not. For this purpose, you have to:

• set up authorization service
• modify your code by adding 2-3 lines at the top of each call calling the authentication service.

Sample code for 3scale is here: https://github.com/3scale/3scale_ws_api_for_python

Conclusions

• Authentication proxy makes the application simple and not bothering about who is asking. This can be advantage until your application needs to know who is asking.
• Authentication service requires changing your code.