Authentication and security for REST API in the context of Web Apps (Intro)

I am, finally, starting to look at developing REST APIs as the backend of a Web Apps. I’m certainly not the first and the community has already been developing great tools and technologies for this.

In particular, given my background with PHP and Symfony, I’ve been looking at:

For anyone, who haven’t read Roy T. Fielding’s thesis, I would highly recommend it. As much because it is THE document birthing the REST architectural style, as because it offers extremely interesting insight on Web and HTTP technologies.

However, there is a subject on which I haven’t found much resources, which is “How to design a RESTful and secure authentication API?” and the topic that obviously follow it: “How to integrate this with a RESTful API?”. Most platforms and tools focus on the API itself, putting security aside as a secondary concern. Even API Platform, which is a very promising platform, extremely developer friendly, and with an active community, doesn’t even try to offer decent default security settings yet.

In the next posts, I will try to provide my thoughts and ideas on the subject.

My main concerns or criteria are (in no particular order, but numbered for easy reference):

  1. RESTfulness: as much as possible, including statelessness and the HATEOAS principle;
  2. Genericity: although the discussion will use Linked data, JSON-LD and Hydra, the solutions proposed need to be easily transposed to other technologies;
  3. Cookies: they are very hard to avoid when discussing current Web Apps;
  4. Different levels of request authentication: anonymously, remembered & explicitly authenticated requests;
  5. Multiple schemes of user authentication:
    • password-based,
    • token-based,
    • MFA,
    • external trustee (OAuth/OpenID);
  6. CSRF Vulnerabilities (including Login CSRF);
  7. XSS vulnerabilities;
  8. Phishing attacks;
  9. Account enumeration vulnerabilities (and other forms of resource enumeration);
  10. User tracking by a third party;
  11. Token theft.

I will try to address and discuss these concerns and offer better insight on what should be important and why in the following posts:

  1. Token’s format (Credentials)
  2. Credentials storage and transit:
    1. Out-of-band credentials storage and transit
    2. In band credentials storage and transit
  3. RESTful authentication API
  4. Modularity of RESTful authentication API
  5. Security of a RESTful authentication API
  6. Other security consideration for RESTful APIs