Assuming that security provided by an OAuth implementation for REST APIs is a layer above the actual APIs for various services, there should be no logic within the API implementation that
checks the user or client or their mapping to a token. That should be taken care of such that all API implementations except for the OAuth ones will work for all callers. In such a case,
the APIs should uniformly be governed by this security declaration. One way to implement that would be to declare an ActionFilterAttribute such that all APIs can be decorated with it. This
provides a uniform security declaration.
The Implementation for this ActionFilterAttribute can for example check the following:
1) validate the api key that it belongs to a known set of registered clients
2) validate the access token by pulling up the corresponding userId, clientId and mapping
These implementations are at the controller level but can be expanded to private methods and extensions
The attribute itself may be packaged in a separate assembly say the OAuth2.Provider.web.dll and made available via Nuget.
The checks for UserID may already be available via API implementations that rely on aliases for userID.
The checks for ClientID and Token mapping require talking to OAuthProviders either local or remote and hence they need additional configuration sections to retrieve these values from.
The last check can be applicable across all APIs since the apiKey and accessTokens are available to each.
The mapping for the tokens could be stored centrally in the same database as the user profiles from where userId is validated.
checks the user or client or their mapping to a token. That should be taken care of such that all API implementations except for the OAuth ones will work for all callers. In such a case,
the APIs should uniformly be governed by this security declaration. One way to implement that would be to declare an ActionFilterAttribute such that all APIs can be decorated with it. This
provides a uniform security declaration.
The Implementation for this ActionFilterAttribute can for example check the following:
1) validate the api key that it belongs to a known set of registered clients
2) validate the access token by pulling up the corresponding userId, clientId and mapping
These implementations are at the controller level but can be expanded to private methods and extensions
The attribute itself may be packaged in a separate assembly say the OAuth2.Provider.web.dll and made available via Nuget.
The checks for UserID may already be available via API implementations that rely on aliases for userID.
The checks for ClientID and Token mapping require talking to OAuthProviders either local or remote and hence they need additional configuration sections to retrieve these values from.
The last check can be applicable across all APIs since the apiKey and accessTokens are available to each.
The mapping for the tokens could be stored centrally in the same database as the user profiles from where userId is validated.
No comments:
Post a Comment