4

So I've created an API that I want to leverage to add some functionality to an existing web app. My current website authenticates users using SAML. What I'm looking to do is instead of moving the code into the existing codebase is to find a way to authenticate to the new site and leverage the APIs that are already there.

My first thought was to create an API token authentication for the new APIs and rely on that for communicating from our client to this new backend but I don't think this will be enough. The data is sensitive and the thought of having API keys that can be easily taken from our client app I don't think is a good fit for this project.

My second thought was along the same lines as API tokens but have them created only when the user logs in to the existing site. The existing site would create, store, and send some piece of identifying information after the SAML authentication that the new back end can use to identify the client as being legitimate when it sends this with the request. This makes sure the user has to login to our site first and there's no private/public keys here to take... I think.

Third is just mirror the new API in the existing app and just make the new APIs not reachable from the web then just proxy calls from our existing app to the new app.

Any thoughts and criticisms of these ideas is welcome or what other people have done to solve this kind of problem where they have a running web app with authentication and need to add new services that come along.

Greenonline
1452 gold badges2 silver badges11 bronze badges
asked Oct 27, 2014 at 19:26
8
  • 3
    It sounds like you are trying to implement something like OpenID, is this assertion correct? Commented Oct 27, 2014 at 20:34
  • To some degree yes. The TL;DR version is I have a site A where users authenticate against CAS. Now I have a new site B that's just a bunch of RESTful endpoints but I want it so that from website A I can call the RESTful endpoints in B and have them authorized/authenticated. It's possible that I could get official OpenID support turned on in our CAS server but I don't know what the turnaround time is for that and we were looking to start using these new endpoints immediatly Commented Oct 27, 2014 at 22:56
  • Do you control both sites? If so, you might just be able to use SSL to establish trust between the servers, after using a traditional login to establish trust between the client and the first server. Commented Oct 28, 2014 at 4:11
  • Yes I'm in the best position here where I control all the websites. So the SSL trust does that mean I would be making the calls from the backend of site A to site B? So far the more I think about it this is the best way to go. Commented Oct 28, 2014 at 5:35
  • 2
    you could set up site b as a SAML service provider, use the same entity ID/certs and replay the original saml assertion to it. Commented Oct 28, 2014 at 9:48

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.