Customers sometimes have multiple restful Webservices and was looking to secure them using a centralized mechanism. The stateless nature of restful Webservices makes it difficult to achieve the goal. Spring implementation of OAuth 2.0 is a perfect or great solution. In royal cyber, we have implemented this solution and delivered it to our client and it has been very fruitful and useful solution for our customer. In the given article we will look into the solution briefly.
Our client was using REST kind of API implementation for internal and external communication between the applications. However, the security is still in question and immature too. Because of the given reasons,
- REST architecture does not have any particular security method/procedure. So we have to define our customized implementation.
- REST API is susceptible to the similar kind of web attacks as typical web based applications.
- Limited documentation/library/framework offered to implement standardized OAuth 2.0 specification
- Give the client access quickly to the REST API resource.
- Make generic solution for REST API security.
Overview of OAUTH 2.0
OAuth 2.0 is an open authorization protocol specification which enables applications to access each other’s data. The key focus of this protocol is to outline a standard where an application, can get the user data maintained by the resource server. In short, the resource server is responsible for giving the access to an API call.
The following diagram gives an outline of steps involved in OAuth authentication.
- User pass in credentials which are handed over to Authorization Server in Http Authentication header in encrypted form. Secure the communication channel with SSL.
- Auth server validates the user with the credentials handed and produces a time restricted token and send the token in response.
- Resource get an API call from the client application; the token is transmitted in HTTP header or as a query string.
- The resource server extracts the token and authorizes it with the Authorization server.
- On successful authorization, the caller gets a valid response.
Royal Cyber Implementation
Royal Cyber applied the following solution to overcome all the business challenges,
- Create an authentication server using Spring Security framework.
- Convert the REST API server into resource server.
- Create an admin module to produce token and secret key for an API.
Using our admin portal, you can give an API a token and secret key. The client will have the token and secret key to call an API. Moreover, they can call this API without any hassle.