I am working on a set of REST APIs that needs to be secured so that only authenticated calls will be performed. There will be multiple web apps to service these APIs. Is there a best-practice approach as to where the authentication should occur?
I have thought of two possible places.
-
Have each web app perform the authentication by using a shared authentication service. This seems to be in line with tools like Spring Security, which is configured at the web app level.
-
Protect each web app with a "gateway" for security. In this approach, the web app never receives unauthenticated calls. This seems to be the approach of Apache HTTP Server Authentication. With this approach, would you use Apache or nginx to protect it, or something else in between Apache/nginx and your web app?
For additional reference, the authentication is similar to services like AWS that have a non-secret identifier combined with a shared secret key. I am also considering using HMAC. Also, we are writing the web services in Java using Spring.
Update: To clarify, each request needs to be authenticated with the identifier and secret key. This is similar to how AWS REST requests work.
Best Answer
It is a matter of separation of concerns. In one case, a dedicated identity provider (IDP) does the authentication and provides an access token, which is verified by all web applications before a user (or an application) can execute an operation. In the other case, every web application has to do that authentication (even if they share the same code base).
The implications are significant esp. for consuming code:
The benefit of each web application doing authentication is:
Amazon, Microsoft, Facebook, Google, etc., all use a dedicated service because the pros are far more important for their users and consuming applications than the cost of implementing. In addition, they all have dedicated teams that work on authentication features such as automated password resets, multi-factor authentication, API access, as well as implementing newer protocols and improving existing one, esp. in terms of security.
[Disclaimer: I work at Microsoft in Active Directory and Security group. Opinions are my own, and I have made my best effort to make this response technology agnostic since it is a design question.]