Which oauth or openid-connect I need to choose in order to build a public sdk?


Which oauth or openid-connect I need to choose in order to build a public sdk?



I am going to build an SDK for developers to access my backend restful resources.
For example, I defined below restful apis:


get GET /changes/changeId
list GET /changes
getStartPageToken GET /changes/startPageToken



I need to secure my apis and I come across openid-connect, auth1 and auth2 but I am not sure which one I need to use. As far as I know, auth2 is more used to third-party authentication like login as google, facebook account etc. Is this right?


google


facebook



In some other public APIs design, a developer need to register a developer account and get an app key and secret. They can use the key and secret to use their APIs. Which type of this authentication is it?



Which one among them is more appropriate for my use case?





Did you find an answer for this ?
– Kavindu Dodanduwa
1 hour ago




1 Answer
1



OAuth 1.0 has been obsolete by OAuth 2.0. So you can remove OAuth 1.0 from your inventory.



Now the different between OAuth 2.0 and OpenID Connect is on their purpose. OAuth 2.0 is a framework built for authorization. OpenID Connect is built on top of OAuth 2.0 (extending its ability) and provides authorization as well as authentication (authentication is built on id token).



Now, these protocols enable you to complete a protocol flow and obtain tokens from an authorization server (sometime called an identity provider or an identity server). Unlike you maintaining users per application, user registry is maintained by authorization serve which can be shared between several applications. Also, authorization server will issue and maintain tokens. Also it will provide token validation mechanisms to be used by token consumers (ex:- OAuth 2.0 Token introspection).



As far as I know, auth2 is more used to third-party authentication



Not necessarily. As highlighted above, this approach enable you to centralised user account maintenance. And provide ways to obtain tokens against users for internal applications as well. Allowing third-party to authenticate comes as a bonus.



In some other public APIs design, a developer need to register a developer account and get an app key and secret. They can use the key and secret to use their APIs.



OAuth 2.0 (OpenID Connect) also require you to register you application at authorization server. But unlike app key, secret based approach (or API key based approach), what OAuth 2.0 provide you is the ability to automate token obtaining and token refreshing process. This is done by following a defined flow (ex:- Authorization code flow). Tokens having shorter life time and ability to revoke them benefit security wise as well.



Which one among them is more appropriate for my use case?



I prefer you to go with either OAuth 2.0 or OpenID Connect. With them, you can protect your APIs with access tokens. Users of your SDK should will send the access token as defined in Bearer Token Usage



Now what to choose between OAuth 2.0 and OpenID Connect ?



Well it depends what client end required from SDK. If client applications need to identify the end user and authenticate them, then you should choose OpenID Connect. But if client application only need to consume API, then you can use OAuth 2.0. Either way, your API must be called with a valid access token. And your API should validate access token before granting access.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Popular posts from this blog

paramiko-expect timeout is happening after executing the command

Opening a url is failing in Swift

Possible Unhandled Promise Rejection (id: 0): ReferenceError: user is not defined ReferenceError: user is not defined