API design for multi-tenant web app - how to identify users from another system?

Question 1

I have a multi-tenant web application that allows authenticated users to make changes to their application instance - making comments as an example.

I'd like to build an API that allows a user of any external web app to be able to perform an action in my app and record the action as having been carried out by the logged in user of the external app. E.g "Wanda Bloggs commented 3 minutes ago"

Is this possible while keeping the API as generic as possible? (not tied to one specific external app). What should I be looking at to be able to implement this?

Another option is to just mark all API activity something like "API user commented 3 minutes ago" but that way too anonymous and far from ideal.

Any guidance or pointing in the right direction appreciated!

Question 2

Are you talking about an API Key?

Question 3

Basically you get an "Web API token" for each user in your app, and store it securely and locally in the app. Then you use it to authenticate the request (at its simplest, you send it along your normal request).

You need a function to be used just the once to connect to the Web app, authenticate and get a token; or you can display it in a Web page (after authenticating of course) via a QRcode, and the app scans the QRcode.

To make it a bit safer, you can send along your current Unix timestamp and a cryptographically secure hash of that timestamp plus the token. The server can then verify that the timestamp is fresh, and that the hash matches.

This could be added as an extra header in the HTTPS request.

Question 4

Thanks LSerni - so if I am understanding correctly, the requesting system will need to attach the unique user API token to each of its users, then anything they do via API can be linked to an existing user in my system - right?

Question 5

More or less. This needs to be done securely, of course. You mihnt want to look into OAuth2.

LSerni LSerni 2,46117 silver badges21 bronze badges · Answer 1 · 2018-06-08 13:58:59Z

Basically you get an "Web API token" for each user in your app, and store it securely and locally in the app. Then you use it to authenticate the request (at its simplest, you send it along your normal request).

You need a function to be used just the once to connect to the Web app, authenticate and get a token; or you can display it in a Web page (after authenticating of course) via a QRcode, and the app scans the QRcode.

To make it a bit safer, you can send along your current Unix timestamp and a cryptographically secure hash of that timestamp plus the token. The server can then verify that the timestamp is fresh, and that the hash matches.

This could be added as an extra header in the HTTPS request.

Thanks LSerni - so if I am understanding correctly, the requesting system will need to attach the unique user API token to each of its users, then anything they do via API can be linked to an existing user in my system - right?
More or less. This needs to be done securely, of course. You mihnt want to look into OAuth2.

Stack Exchange Network

API design for multi-tenant web app - how to identify users from another system?

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

API design for multi-tenant web app - how to identify users from another system?

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions