How to make authorization between two api?

W

WebDev2019-09-04 11:12:54

API

WebDev, 2019-09-04 11:12:54

Requests from the client (spa on react) come to us in the api. One of the requests is a request to get statistics. The statistics are stored in MySQL right there on the server, and before returning them, we check whether the user is authorized and whether he has access to these statistics.
As the volumes grew, we decided to transfer the statistics to a separate server and a separate domain. In addition, ClickHouse was connected there to process data more efficiently.
Now there was a question how to do authorization check. The chain turns out like this:
client -> api -> statistics
That is, a request comes from the client to the api, the api checks the user's rights and pulls the server with statistics.
Now you need to make sure that the server with statistics gives data only to the api server, so that no outsider can get the data.
What are the options here? Here's what comes to mind:
1. White list of addresses. The statistics server checks from which IP the request came to it and returns it only if it matches. I do not like this method, because we have several servers, including backup ones. If we buy / change servers, then the list must be kept in mind.
2. Send some secret key from the API server and check it on the statistics server. This option seems to me the most convenient, but in what form should it be stored and how should it be transmitted?
Please advise.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

E

Evgeniy Volf, 2019-09-04
@kirill-93

2. Send some secret key from the API server and check it on the statistics server. This option seems to me the most convenient, but in what form should it be stored and how should it be transmitted?

It seems to me that this is the most reasonable option. The list of addresses is not very reliable and not very logical.
How to pass - just like the request itself, as a parameter, header, or any other part of the request that will eventually be parsed on the server. How to store - we usually store in ENV (environment variables) or project configuration files.

I

Ivan Shumov, 2019-09-04
@inoise

So, let's read together what OpenId and OAuth2 are. Then we read about the existence of Identity Server. If you want everything yourself, then off Keycloak, if you want a service, then Auth0. In pursuit, we read about JWT tokens. If you do not like the proposed options, then we are looking for analogues. The idea is that if there are several authentication places, then you need to make authentication separately. Waiting for stupid or smart questions in the comments)

K

Kirill Gorelov, 2019-09-04
@Kirill-Gorelov

We did so.
With signatures.
There is a public + private key.
We sign our data with the private key and send it to the server with the public key.
On the api side, using the public key, we are looking for a closed, that is, a reliable source. We check the signature. And if everything is ok, then we skip it.
There is a class in php and python so that you can communicate in both directions if different languages.
We are not complaining yet.

O

Oleg Kleshchuk, 2019-09-04
@xenozauros

Why not just transfer service traffic to a separate LAN/VLAN without direct access from the Internet?