Geek Answers Handbook

Browser Based REST Authentication Authentication

I am working on a REST web service, and in particular, authentication methods for browser-based requests. (using JsonP or cross-domain XHR requests / XDomainRequest).

I did some research at OAuth as well as Amazon AWS. The big drawbacks of both are that I need to do one of the following:

  • Keep secret tokens in the browser
  • Let the server side of the script process the signature. Basically, I would first contact my server to get a specific pre-signed javascript request that I will use to connect to a real REST server.

What other options or suggestions?

+4
source share
3 answers

Well, the only true answer here is proxying through the server, using sessions / cookies for authentication and, of course, using SSL. Sorry for the answer to my own question.

+1
source

Yes, jsonp authentication is tough because the client browser must know the shared secret.

The option would be to make an anonymous endpoint (without the need for authentication). This happens with other security features (the server is open for attacks, anyone can call it). But you can handle this either by exposing a very limited resource, or by using a speed limit. When limiting the speed to one client, a certain number of calls are allowed for a certain period of time. It works by identifying the client (for example, using source files or other clicks).

I once experimented with one-time tokens, but they all failed somewhat, because you had the problem of getting the marker itself and protecting multiple marker extracts with bots (which again is necessary to limit the speed).

0
source

I have not tried this myself, but you can try the following .. (I'm sure I will get some feedback)

On the server side, create a timestamp. Using HMAC-SHA256, generate a key for this timestamp using a password and send the generated key and timestamp to html.

When you make an AJAX call to a web service (assuming it's a different server), send the key and timestamp along with the request. Check if the time stamp is within 5-15 minutes. if it makes HMAC-SHA256 with the same password and key, if the generated key is the same. Also on the client side you will need to check if your timestamp is valid until the call is made.

You can generate the key using the following URL. http://buchananweb.co.uk/security01.aspx

0
source

More articles:


All Articles