Optimal client validation architecture for API?

I

Ivan Vorobei2016-05-01 13:43:09

API

Ivan Vorobei, 2016-05-01 13:43:09

Available:
Closed API, part of the functionality with user authorization, part - no.
Purpose:
Restrict requests to only trusted clients.
Options:

Authorize client via JWT. The essence is simple - we send a key-secret pair, check it and send a token in response. We save the token on the server. All API requests come with a token.
The problem lies in the storage of tokens: there is only one key-secret pair for the client, but there will be many tokens. Is it worth it..?
UPD : I did not know that JWT does not require the storage of the issued token. However, this leaves the issue of client authorization
We store the string on the client, encrypt it and send it to the server. We check, if everything is fine, then we process the request. A token is not issued, as you can understand. Well, as a plus for each client (no matter how many there are) - one entry in the database.
Any more?

Please note:
The question is not about client authorization with a login-password pair, but about limited access to the API from the client (mobile application, desktop, web, etc.)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan Vorobei, 2016-05-10
@ivanvorobei

For those who are looking for a solution:
Client validation is best done through the header

G

GTRxShock, 2016-05-01
@GTRxShock

Good evening, here is an article for you to visually see 2 generally accepted ways:
https://auth0.com/blog/2014/01/07/angularjs-authen...
ps for 1 option, something tells you that the essence of jwt is you missed. This is completely stateless authentication.
and 2 option, more like not a bicycle. Read the article above and jwt will solve all your problems)