API identity/authorization

Problem

I'm making a private API where a client (application) make calls to the API provider and retrieve or send information. I need a way to authorize or identify which app is performing the operation and if it has access to it, the same app is used over different places where the user checkin and can make API calls getting information from that place and not from another, but I'm not sure if to allow this by using API keys or some auth method like OAUTH.

Problem courtesy of: jtomasrl

Solution

In general, there is no way you can make 100% sure that your client is the one who is receiving the data. Hackers can always find a way to fool your program.

Notwithstanding that, there are a few ways you could do something. The best way would be for each client to have their own key, which they somehow pass to the server, authenticating. And these keys would have to somehow securely be passed through to the server. This isn't likely to happen. This key will uniquely identify each client. If any client is abusing the permission, they can be rejected.

The next step up is to create the keys as is mentioned above, encrypt them using a public key, and send them to the server. You could even put in an approval process if you wanted it to.

Another solution that the client queries the server, producing a number. The user then enters that number into a web site which they have previously logged in to. The number needs to be suitably complex, and is only valid for a few minutes, to reduce the risk of someone taking over the device. This serves well for one-way applications, like Netflix.

All in all, it depends on what your needs are for your program.

Solution courtesy of: PearsonArtPhoto

Discussion

There is currently no discussion for this recipe.

This recipe can be found in it's original form on Stack Over Flow.