0

We have microservice-based architecture. Currently, we have APIs which we have exposed over the internet for all users.

Now we want to provide APIs to a specific client and only this specific client should be able to access this API.

What security practices we should follow? I mean what is the best way to secure such APIs. Provide a token to client and hard check for API with token on each request oy anything else?

Ankit Bansal
  • 157
  • 1
  • 10
  • If you want to give access to a specific client, than just grant access only to him with token or other authentication options. However if you mean hiding the access to API endpoints over Internet, that's nearly impossible AFAICT. – elsadek Jan 21 '21 at 18:57
  • Basically APIs will be exposed over internet but want only that specific client can access that. So you are saying that we should create token, send it to client and make check for that token.? – Ankit Bansal Jan 21 '21 at 19:35
  • wrt, 'only this specific client should be able to access this API': If the client has a static ip (or range of static ip's) that they will be connecting to the API from, then you may want to consider restricting https access to the API to only their addresses. This can be done using an htaccess rule, iptables, etc. – mti2935 Jan 21 '21 at 20:32

1 Answers1

1

what is the best way ... ?

It depends on what you mean by "the best":

  • The quickest to implement?
  • The cheapest to implement?
  • The easiest to integrate with Google or Facebook authentication?
  • The easiest to integrate with clients own authentication system?
  • A solution with the quickest way to revoke permissions?
  • The most resistant to a particular attack type?
  • The easiest for problem analysis and support?
  • ...

Giving access based on some physical aspects (e.g. VPN connection, source IP) may be hard to implement and to maintain. That's why I'd suggest you to consider some authentication system based on user credentials, for instance, based on user/password (or depending on your context you may use client authentication based on user certificates, or based on user hardware like smartcard, or other).

Then you can implement authorization. Based on user (user name or some token), service should decide if particular request should be executed or not.

Without knowing particular context it is hard to suggest anything more specific.

mentallurg
  • 12,418
  • 5
  • 36
  • 50