How to secure a web API with public key from unauthorized access?

Question

While understanding the nature of web API, Some questions regarding its safety were raised. What are the best practices to design web API such that only authorized user should be able to access it. I tried to check below options, but none was able to achieve perfect safety.

1) I cannot rely on request origin, referrer or user agent string since they can be easily spoofed.

2) Web API requires just a public key to access it so CSRF token is also not suitable to implement.

Is there any other way I can ensure request is coming from trusted source only?

My use case is I would like to implement client side API like google map, where any one who has purchased an access to API, will whitelist their website domain and can include my plugin on their website. Plugin will then make request to my API on behalf of user.

Is it a good idea, if I apply some request signature logic on web API so my server can validate the requester and reject the unauthorized origins. I assume I would have to keep my request signature logic secret and so I may need some obfuscation on code.

Answer 1

You do not mention anything about the usecase, especially if the client is a system or a person?

First off, security by obscurity is never a good choice. Second, it is considered bad practice to "create your own security system", it is much better to stand on the shoulders of others who has the knowledge and experience in security.

Without knowing the exact usercase, it is hard to come with a lot of suggestions... however, i'd suggest you look at at stuff like jwt tokens(i'm guessing that you have a person behind a webclient as the user of your webservice)... since you've tagged the question with asp.net-web-api i'd also suggest you have a look at https://identityserver.io project ... I've previously used IdentityServer4 with success in a large asp.net webapi project...