Skip to content

Latest commit

 

History

History
47 lines (34 loc) · 3.39 KB

Authentication.md

File metadata and controls

47 lines (34 loc) · 3.39 KB
stoplight-id tags
v4mvfak33ztd0
Authentication

Authentication

Proper authentication is a crucial part of ensuring the security and integrity of API interactions. The IXO Spatial Web API follows the best practices for REST services to provide a secure, reliable authentication mechanism for accessing its resources.

Best practices will always be adhered to.
Each API defines its own authentication implementation - see the specific details per API.

Best Practice Approach for Authentication

1. Bearer Token Authentication

The preferred method for authenticating requests to the IXO Spatial Web API is using Bearer Token Authentication. A bearer token, which is a secure token representing a user session or an API client, should be included in the HTTP Authorization header of each request.

In this method:

  • Access Tokens: Tokens should be securely generated and issued by an identity provider, typically during the OAuth2 authorization process.
  • Token Expiry: Access tokens are short-lived for enhanced security. Clients need to request a new token upon expiration.

2. OAuth 2.0 Protocol

The IXO Spatial Web API utilizes OAuth 2.0 for token issuance and management, which is an industry-standard protocol for authorization.

  • Client Credentials Flow: Used for server-to-server interactions, where a client application can request an access token to authenticate itself without a user context.
  • Authorization Code Flow: Used for user-facing applications, allowing users to securely authenticate and authorize the application to act on their behalf.

3. HTTPS Only

All requests to the IXO Spatial Web API must be made over HTTPS. HTTPS ensures that the data transmitted between clients and the API remains encrypted and protected from potential attackers. Any requests made over HTTP will be rejected to safeguard sensitive data.

4. API Key Management

While Bearer Tokens and OAuth 2.0 are recommended, an API key-based authentication mechanism is also available for simplicity in certain use cases.

  • Limited Access: API keys should be used for limited-access endpoints where security risk is minimal.
  • Environment Variables: API keys should be stored securely, preferably in environment variables, and never be hard-coded into applications.

5. JWT (JSON Web Tokens)

For enhanced security and scalability, JSON Web Tokens (JWT) may be used as part of the authentication strategy. JWTs provide a self-contained way to transmit information between parties, including user claims and authentication status.

  • Structure: A JWT consists of three parts: Header, Payload, and Signature. The payload contains claims, and the signature ensures data integrity.
  • Expiration: JWTs should have a set expiration time to limit their validity and reduce risks if compromised.

6. Rate Limiting & IP Whitelisting

To prevent abuse and protect the API from malicious actors:

  • Rate Limiting: Clients are subject to rate limits, restricting the number of requests that can be made within a certain timeframe.
  • IP Whitelisting: To further enhance security, sensitive API endpoints may require requests to come from specific whitelisted IP addresses.

By following these best practices, the IXO Spatial Web API ensures robust security for its users and the applications interacting with it, helping to prevent unauthorized access and data breaches.