Great Article. Well understood.

Please stop the popups asking me to give you my email. Popups were hated in the 90s, and they are hated now. Make it stop, please.

Removed the popup.

well written.
Thanks

Thank you

Hi
I am using internal API via Postman(a 3rd party tool) to invoke DB create service .My client wants to have signing in this webservice . Which approach will be good ?
As i dont have login factor here ( no linkage of username and password ), what should be besyt approach for signing ?

Hi,
In your case I think that hmac (also can be called as api signing) approach is preferred.

But to me, allowing access to a service that creates databases, sounds very dangerous without API signing.

Thanks,
Guy

Well explanations

Thank you very much

Great article! Thank you very much.

Is the header sent in the HMAC example supposed to be Authorization: instead of Authentication: ?

No no, Authentication header is good here :)
https://tools.ietf.org/html...

Your link points to an RFC for the IP Authentication Header, which has nothing to do with HTTP headers. Jordan Nelson is correct - it should be Authorization and not Authentication - see https://tools.ietf.org/html.... The rest of the content is great - thanks for sharing!

Really a great read, learnt how we can use request headers and nonce in authenticating every single request.

If we use .net Identity Framework already using Azure, doesn't it hash the credentials already? If so, can we easily extend this to a web api?

It was an excellent article to hear from you which is very useful. thank you so much for gathering all this information in one post with examples, it’s very clever and will be extremely helpful for all people.

I developed a REST api for www.myownwebsite.com(just an example)
This API is not a public api, only the client application specific to this API can use this API. What would be the best choice? Some people say Basic Auth would work, some says Basic is not that secure.
Some says OAUTH would be the best, but some says OAUTH is for Public APIs who grant access to their resources to some third party clients.
Quite confused.

Hi,
For internal API's in case no client access is needed you can simply go with API signing. Mostly it means adding a signed header or two using a private key that both client appication and API service are aware of. In case you client application has users, I recommend going with OAuth2.

Thanks,
Guy

Thanks.
To clarify what my application is:
consider Facebook.com has a Broswer client build using Angular.js which consumes all of the data from its REST api hosted on AWS. That backend API is consumed only by that Angular.js client. Simple architecture it is.
Is OAuth2 the right choice?

Hi,
Facebook website has oAuth2 authentication. When you enter your username and password you are getting a token, with that token you are sending all your requests. Since they have billions of users - and yes - one client (several instances probably, but one client).
This way, they know what to show to each user and user - his personal and friends data.

I am also guessing that the backend API that you have is getting some sort of auth token in order to return data that is specific to the user requested it?

Thanks.
Guy

Yes, the backend API would return the data specific to logged in user.
Actually, I was stuck as whether to choose "basic auth over HTTPS" or "Auth", because some experienced person told me that Auth2 is for social login kind of things and I should go with "basic auth" for login in my website users.

Hi,
It is still recommended to use OAuth2 with Authorization Code flow for web applications (there are many flows / grant types of OAuth2 like authorization code, implicit and others). OAuth2 is not only for social login but can be used in may variations like web application, mobile applications and other devices.
Please check more info here:
https://oauth.net/2/
https://tools.ietf.org/html...

I think this video might help you:
https://www.youtube.com/wat...

Thanks,
Guy

KinGuy already read

Thanku so much.

Is every times we need email and password to access an api ? Then why we need to authorization ?
I am confused of booth .

I think it should be:
The client application will check if there any token on his application, if not then he will post a request to api using email and password, then the api will send a token for client application.

After taking that token, the client application will request to api with token for accessing api resources. The api will then check the token, if it is authorized then the api will response with requesting resources other wise unauthorized token will send to client.

Am I wrong ?

Thanks for this blog. It is written very well for anyone to understand. I liked your way of explaining the concepts. Keep it up.

thanks for blog post.
Recently we are building project with spring mvc restful function,In our project,We have RBAC module,We are confused that how to implement the authentication，like url pattern:/api/example/{action},In the old days,we can set resource url like this /api/example/update,/api/example/create and so on.But now we did not figure out a better way to control authentication.Any suggestion? thanks

Hi,

Once you have a resource and the action is POST \ GET \ PUT and etc..
It is same like saying {action}.
POST is create
PUT is update
GET is read
DELETE is delete
and so on.

Hope that helps.

Guy

thanks,In general,there are more than one POST OR GET method for the one resource,because different role has different resource access,for example,/person/getone for role A,but /person/getall fro role B.In this scenario,just one action for the person resource is not fit for.

Hi,
I am guessiing that you are also sending some authorization header that let's you identify the user and his access rights, no? For getting one person you use /person/ID, for getting many, you have something like /person without anything that means getting all. All these are different paths in the controller. So for each you can set a specific access rule, based on a role of the user. You can also set advices @role on your controller paths to controll the access.

Guy

thanks,We use spring mvc restful,and the url pattern like this /people/{action},so ACL can not determine the exactly resource url for the same http method,for example /people/list,/people/get.anyway thanks for your discussion.