REST API is an application interface which allows a Web application to expose it’s resources in a secure way to client applications using HTTP Methods such as GET, POST, PUT, DELTE, etc.
To understand REST APIs, let’s take an example of Jira, a widely used issue tracking product for project management and creating a helpdesk. Jira provides an endpoint /rest/2/issue which can be used by developers to create a new ticket using an HTTP request. Hence /rest/2/issue is REST API provided by Jira to developers.
Since these APIs allow client to access and modify resources remotely, it is important to authenticate these APIs.
Now most of the applications provide Basic Authentication for REST APIs. This method has many drawbacks:
1. Potential Credential Theft:
Basic authentication requires username and password to be send in header of every request. This is clearly unsafe under HTTP, but is somewhat less vulnerable under HTTPS. However, basic authentication requires username and password to be submitted in every request. Hence, every single API call can be a target for cleartext credential theft. With basic auth, every API call is an opportunity for credential theft, which is not ideal.
2. API calls on Federated applications:
If the application is federated using SSO protocols such as SAML/OAuth/OIDC, the user generally doesn’t know his/her application credentials. The user only knows credentials of Identity Provider in this case. Hence basic authentication in such cases doesn’t work.
This is where our solution comes into the picture. We provide REST API authentication plugins for various applications.
Using these plugins, you can authenticate the REST APIs of your application using any OAuth/OIDC providers. This means, that the client calling a REST API can fetch access token from OpenID provider with user’s consent and then use this access token, it can call the API.
How miniOrange OAuth authentication works with REST APIs:
- Client Application requests access token from OAuth provider
- It gets the access token
- Then it makes an API call by including access token in Authorization header
- miniOrange REST API Auth app will validate the access token using introspection endpoint
- If token is valid, the plugin will call the Jira API and the response will be sent to the Client Application
Benefits of using REST API Authentication using OAuth/OIDC plugins:
- Secure: Since the client doesn not have to pass user’s credentials with any request, this method is more secure. The method requires access token which can only be fetched by user’s consent. Moreover, the plugins block basic authentication completely so no one without an access token can access the APIs in an insecure manner.
- Easy to integrate: The plugins can be integrated with any OAuth/OIDC provider within seconds. All you need to do is provide userinfo endpoint of the OAuth provider in the plugin.
- Easy to install: You only have to install and configure the plugin once. The plugins are available on the marketplaces of supported applications which allows installing and activating the plugin in few minutes.
Here are the supported applications for REST API Authentication and step by step guides to set it up:
|Application||Step By Step Guide|
|Jira / Jira Service Desk||View Guide|
|WordPress||REST API Authentication|