简体繁体中英

rest api for 3rd party customers (AAA)

原文 2013-02-01 15:56:13 2 1 json/ api/ rest/ authentication/ oauth

I am currently working on a REST/JSON API that has to provide some services through remote websites. I do not know the end-customers of these websites and they would/should not have an account on the API server. The only accounts existent on the API server would be the accounts identifying the websites. Since this is all RESTful and therefore all communication would be between end-user browser (through javascript/JSON) and my REST API service, how can I make sure that the system won't be abused by 3rd parties interested in increasing the middleman's bill? (where the middleman is the owner of the website reselling my services). What authentication methods would you recommend that would work and would prevent users from just taking the js code from the website and call it 1000000 times just to bankrupt the website owner? I was thinking of using the HTTP_REFERER , and translate that to IP address (to find out which server is hosting the code, and authenticate based on this IP), but I presume the HTTP_REFERER can easily be spoofed. I'm not looking for my customer's end customers to register on the API server, this would defeat the purpose of this API.

Some ideas please?

Thanks, Dan

1 answers

This might not be an option for you, but what I've done before in this case is to make a proxy on top of the REST calls. The website calls its own internal service and then that service calls your REST calls. The advantage is that, like you said, no one can hit your REST calls directly or try to spoof calls.

Failing that, you could implement an authentication scheme like HMAC ( http://en.wikipedia.org/wiki/Hash-based_message_authentication_code ). I've seen a lot of APIs use this.

Using HMAC-SHA1 for API authentication - how to store the client password securely?

Here is what Java code might look like to authenticate: http://support.ooyala.com/developers/documentation/api/signature_java.html

Either way I think you'll have to do some work server side. Otherwise people might be able to reverse engineer the API if everything is purely client side.

creating 3rd party API with PHP and JSON

How to use Twitter REST API 1.1 with OAuth Authentication without any 3rd party libraries in Windows Phone

Using Apache Nifi to collect files from 3rd party Rest APi - Flow advice

Converting circular structure to JSON - 3rd party API

How to include 3rd party API in MVC 5 - Riot Games

Accessing a 3rd party API JSON object in ruby

rails no bitesize error to 3rd party API response

Implement 3rd party Web Service API as 'Pages' in Wordpress

Serialize the data from 3rd party API in javascript/jQuery

Using the JSON response from 3rd party api with geodjango

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question creating 3rd party API with PHP and JSON How to use Twitter REST API 1.1 with OAuth Authentication without any 3rd party libraries in Windows Phone Using Apache Nifi to collect files from 3rd party Rest APi - Flow advice Converting circular structure to JSON - 3rd party API How to include 3rd party API in MVC 5 - Riot Games Accessing a 3rd party API JSON object in ruby rails no bitesize error to 3rd party API response Implement 3rd party Web Service API as 'Pages' in Wordpress Serialize the data from 3rd party API in javascript/jQuery Using the JSON response from 3rd party api with geodjango

Related Tags

rest api for 3rd party customers (AAA)

Question

1 answers

solution1 0 2013-02-01 19:53:15

solution1
0 2013-02-01 19:53:15