How to secure RESTful web services?

web-services security rest oauth restful-authentication
111,486

Solution 1

There's another, very secure method. It's client certificates. Know how servers present an SSL Cert when you contact them on https? Well servers can request a cert from a client so they know the client is who they say they are. Clients generate certs and give them to you over a secure channel (like coming into your office with a USB key - preferably a non-trojaned USB key).

You load the public key of the cert client certificates (and their signer's certificate(s), if necessary) into your web server, and the web server won't accept connections from anyone except the people who have the corresponding private keys for the certs it knows about. It runs on the HTTPS layer, so you may even be able to completely skip application-level authentication like OAuth (depending on your requirements). You can abstract a layer away and create a local Certificate Authority and sign Cert Requests from clients, allowing you to skip the 'make them come into the office' and 'load certs onto the server' steps.

Pain the neck? Absolutely. Good for everything? Nope. Very secure? Yup.

It does rely on clients keeping their certificates safe however (they can't post their private keys online), and it's usually used when you sell a service to clients rather then letting anyone register and connect.

Anyway, it may not be the solution you're looking for (it probably isn't to be honest), but it's another option.

Solution 2

HTTP Basic + HTTPS is one common method.

Solution 3

If choosing between OAuth versions, go with OAuth 2.0.

OAuth bearer tokens should only be used with a secure transport.

OAuth bearer tokens are only as secure or insecure as the transport that encrypts the conversation. HTTPS takes care of protecting against replay attacks, so it isn't necessary for the bearer token to also guard against replay.

While it is true that if someone intercepts your bearer token they can impersonate you when calling the API, there are plenty of ways to mitigate that risk. If you give your tokens a long expiration period and expect your clients to store the tokens locally, you have a greater risk of tokens being intercepted and misused than if you give your tokens a short expiration, require clients to acquire new tokens for every session, and advise clients not to persist tokens.

If you need to secure payloads that pass through multiple participants, then you need something more than HTTPS/SSL, since HTTPS/SSL only encrypts one link of the graph. This is not a fault of OAuth.

Bearer tokens are easy to for clients to obtain, easy for clients to use for API calls and are widely used (with HTTPS) to secure public facing APIs from Google, Facebook, and many other services.

Share:
111,486
Jan Deinhard
Author by

Jan Deinhard

Updated on April 18, 2020

Comments

  • Jan Deinhard
    Jan Deinhard about 4 years

    I have to implement secure RESTful web services. I already did some research using Google but I'm stuck.

    Options:

    TLS (HTTPS) +

    Are there more possible options to consider? If OAuth then what version? Does it even matter? From what I've read so far OAuth 2.0 with bearer tokens (that is without signatures) seems to be insecure.

    I've found another very interesting article on REST based authentication.

    Secure Your REST API... The Right Way

  • pc1oad1etter
    pc1oad1etter over 13 years
    I don't think that http digest is giving you anything over http basic if they are both over https.
  • fikr4n
    fikr4n about 10 years
    Okay, now I am confused which one is better, this approach or another answer. Could you elaborate? :D
  • pc1oad1etter
    pc1oad1etter about 10 years
    You are welcome to add helpful information about HTTP digest's benefits without the tone, seriously.
  • Rajan Rawal
    Rajan Rawal almost 10 years
    Your answer would be perfect for masters but its confusing for novice. Can you please provide some detail information or links to read upon?
  • Joyce
    Joyce about 9 years
    If the certificates are self-signed, is it still "very secure"?
  • mbmast
    mbmast over 8 years
    @Joyce I would think not. Since you are not trusted (no offense), the certs that you sign (with your own cert) cannot be trusted. I believe self signed certs are more useful for testing.
  • mbmast
    mbmast over 8 years
    Given the end user (customer) has a client cert whose public key is shared with the server, doesn't the whole "very secure" thing fall apart if the customer's machine is hacked and their client cert stolen?
  • StvnBrkdll
    StvnBrkdll almost 8 years
    @Rajan Rawal: the Java tutorial gives a good explanation of authentication with client certificates, including mutual authentication with client certs (ie server authenticates client, client authenticates server). see: Certificate authentication tutorial

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the most common way to authenticate a modern web app?
How to authenticate restful web service using oAuth
Securing REST Web Service using token (Java)
Salesforce REST API Login?
How to configure secure RESTful services with WCF using username/password + SSL
Rest - how get IP address of caller
What status code should I use when session token is invalid?
Restful web service authentication
RESTful web service - how to authenticate requests from other services?
Bearer token in the (OAuth) Authorization request header for REST API POST call