Secured API endpoints
Question
I'm building an API that returns a QR code.
The API endpoint should get the follwing: email, client_id & client_secret.
My API should check the client id and secret, then encrypts the email(and more data) and then make a QR Code from the encrypted token.
How can I secure this API so an attacker won't be able to send me a fake email?
I'm trying to understand how OAuth requests are secured against mitm attacks. When I read about it, it seems like my server needs to make an https request to the OAuth provider including this data.
I'm having hard time to understand how an attacker won't see the client id and secret (even if the request made through the consumer server).
Hoping for help, Thanks!
1 answers
solution1
1 ACCPTED 2020-04-14 14:40:56
how OAuth requests are secured against mitm attacks.
To protect against MITM attacks when using OAuth2 you must use TLS (https) connection.
How can I secure this API so an attacker won't be able to send me a fake email?
To avoid fake email , you need to verify the address, eg sending a mail with a one-time code that the user need to interact with. Eg OpenID Connect , an authentication standard based on OAuth2 has special claim to inform wether the email is verified or not.
OpenID Connect already defines additional claims to inform the RP of the verification status of the phone_number and email claims.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.