How to design API to be used by untrusted 3rd party - web-services

Background
I need to design a WebService REST API. This web service will be consumed from a Web page and some mobile apps (android and iOS). I will call all of them 'apps'. Apps will be developed by third parties, outside of our company. Mobile Apps requires a logged in user to display content, so it's easier for me to handle content authorization of my web service.
Web page is a bit tricky because it must provide some functionality even for non logged users, (eg: list latests products, display product details and search products), so even to non-logged in users:
It must be able to request some data (mostly /products and /products/{id} ) from my web service.
It must be able to consume /search endpoint.
Real question
I will use OAuth2 to handle authorization. On mobile apps this is not a problem, they will not be able to access any content until they get authorized, so once authorized all API will be working.
But I'm totally lost on how to handle connection with web app.
Should I leave some URL non-authorized to allow web dispatch content to non logged in users?
Should I create a special user 'anonimous' with higher API usage rate limits and tell Web app to authorize as 'anonimous' until user has been logged in ?

Related

GCP Identity platform integration with golang backend

I am developing web platform which has to have 3 type of users (user, admin, partner companies). For the authentication I am considering to use google Identity platform with multitenancy (probably users in one tenant and admins are in different tenant).
As I understand from documentation, how do we integrate identity platform to our application is to create identity platform provider from console and integrate it into frontend with UI. From front-end, without contacting backend service we can sign up, login and logout by calling firebase SDK and it will give us authentication token. From backend I can check that token with middleware and decide if I agree the user as authenticated or not. Correct me if I am wrong.
Then I can get some metadata of authenticated user from the token, maybe email or name etc. But I want to store user related information on noSQL database as well. For example, if user wants to change his email I need to handle it in backend server, also, I'd like to store users log (access and audit log on somewhere else). In case of, I am using frontend UI and SDK how do log the access and audit information on my backend? also, when changing user's information, do I just write handler function in backend end update user's data with REST API or Admin SDK? what is the best practice over here? Or should I better write my own login and logout function on my backend then call REST API or Admin SDK? is there preferred way? Google is showing me only integration way of authentication from frontend?
BTW, I am deploying backend application on google cloud run, and frontend would be developed in react and should be deployed maybe in firebase or in cloud run as well.
Thanks
As per the Documentation,Yes your understanding is correct to integrate identity platform to the application.
You can store the user related information on a noSQL database like Firestore or Firebase Realtime Database. You can write the Rest API to change or update the user's information in the database.
If you want to write your own login and logout function, I don’t think it is necessary because Firebase Admin SDK provides these features. But if you want to manage user authentication in the backend for specific requirements, you can write your own login and logout function on the backend and use the Firebase Admin SDK.
For access and audit log information you can use Firebase Analytics, Firebase Analytics helps you understand what your users are doing in your app. It has all of the metrics that you’d expect in an app analytics tool combined with user properties like device type, app version, and OS version to give you insight into how users interact with your app.
But finally, the best way would depend on your requirements and use case.

When you use DRF(Server API) + React(public Web Client), how do you implement for OAuth2 social login?

I am developing Django(Server) with React(Web Client).
And I want to use facebook social login.
I knew that client is public client, server is confidential. So I want to use authentication code grant way for authenticating user.
So I find out the way but there is no way to implement that. All the python oauth2 library limplements is just for django server side rendering.(Django Server + Web client).
So I confused about I am wrong or just the others just did not make the grant way.
When you use DRF(Server API) + React(public Web Client),
how do you implement for OAuth2 social login?
I wonder that. please give me some advise to me.
Thanks.
Let's start from basics, people usually split frontend and backend to improve the production speed as frontend and backend can be developed by two separate teams. But in order for the frontend and backend to work together, there needs to be a connection interface, an API.
React is a frontend that runs in the browser, so in order to talk to the server, it uses a REST protocol.
As the backend in this scenario is Django we use DRF as React uses REST API. DRF provides easy flexible pre-built packages to carry out this communication job between server and client.
Now the authenticator for web login you choose to be Facebook hence you will get the identity token from facebook, which will correspond to the rows in the Django User table which will give you access to the user's data in Django.
You don't need to do everything at once, you need to first implement the Facebook social auth and after test(test using postman app) only think about connecting React
A good place to start is this DRF documentation, look into Social OAuth2
https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit

Authentication with website, mobile app, and webservice

I am creating a service that will include a website, a mobile app, and a web service.
Both the website and mobile app will talk to the web service to interact with the database and any other backend items.
I would like users to be able to log in with other services (such as google, facebook, twitter, etc.)
I have two questions in implementing this:
1.) Should I use OpenID or OAuth? I'm not sure which is better for the situation. I have no need to actually access features from a users account, I just want them to be able to log in with accounts they already have,
2.) Where should I implement the authentication? Do I have to implement it both on the website and on the mobile app, or could I have both talk to the web service and do the authentication there?
Thanks
If you are just doing authentication and not syncing any account details, I think OpenID is the way to go. From a security standpoint, I would say to implement your authentication on the website and on the app and not in the webservice. You want to handle credentials the least amount possible and especially avoid sending the credentials via webservice if not using SSL.

Desktop and Web application share Facebook Authentication

I am building an application that has a web front end and a desktop client application. The web front end allows users to login using Facebook. It exposes a web service to the Desktop application for uploading data. The web service needs to insure that the desktop application uploading data for a user is really from that user. I have already implemented Facebook login on both the client and web interface using the Graph API. How would I go about using Facebook to validate that the user using the desktop application is who they say they are? Also, how can I make it so the user can login once and not need to login again on the desktop application?
After much struggle I figured out that it's possible to receive a session key that does not expire. You can do this by requesting offline access to a user's profile. I stored this in the database on the web side and retrieved and stored it on the desktop side. The only problem is the session key technically can be viewed and used by someone other than the user to make requests. Any other suggestion would be appreciated.

Integrating authentication between a web app and desktop app

I want to upload a file to a website via a desktop app and then take the user to the website. The website has a web service, but requires authentication as does the web site. Is there a way to do this without forcing the user to authenticate twice (once in the desktop app and once in the web browser)?
Unfortunately, you can't prefill an input of type file for security reasons, which makes sense since the user won't want you uploading arbitrary files from his/her computer. But if they have a desktop app, is there some way around this?
Or maybe make the user log into the web app first and then the authentication cookie can be reused?
Any other ideas?
Thanks,
Ben
I would use the dekstop app as a client to the website app via an api.
So, login via the desktop app. The api returns a authentication token (as Carlos suggested) which might be a md5 hash stored in your database for a certain period of time, possibly matched to the clients ip address.
The desktop app can then make calls on the api (like uploading a file) as a authenticated user (by using the auth token).
When loading the website, perhaps the url is http://website/login/{auth_token} where the auth token is added to the url. The api can check to see if its a valid auth token and consider the user logged in.
You could generate an authentication token that could later be used on the website.
It all depends on the type of authentication of the service and the site. Is it integrated Kerberos, WS-Auth, is it Basic/Digest HTTP, is it forms/cookie ?
This answer will most likely not work in the very general users-on-the-wide-open-web scenario, but in intranet contexts, using Windows Authentication (on an ASP .Net solution), would provide this.