8
9 Comments

Easy way to secure APIs?

Are there any simple authentication services any of you have used to help secure cloud hosted APIs? I'd rather not go through all the hoopla of setting up Oauth, is there a simple public/private key (or anything) method anyone has used? My use case is for dot net core but I'd be interested in checking out any platform.

Thanks all!

  1. 4

    Firebase auth is by far the simplest auth provider I've ever worked with. I work with aws cognito in my day job, and I would say for sure firebase auth is much more friendly to work with.

    1. 1

      I'll be checking this out, thanks!

    2. 1

      Completely agree 100%

  2. 2

    Hi Colin,

    Have you already lookat at this:

    https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-web-api?view=aspnetcore-3.1&tabs=visual-studio#add-authentication-support-to-a-web-api

    However when I read that you want something simpler, perhaps this post has some pointers: https://stackoverflow.com/questions/38977088/asp-net-core-web-api-authentication . Be careful with less secure methods though.

    This is a nice overview of different API Authentication methods: https://blog.restcase.com/4-most-used-rest-api-authentication-methods/

    Cheers,
    Jeroen

  3. 1

    There are several layers of authentication I apply based on the requirements;

    • BASIC AUTH when I need to secure something quickly, usually applied on the reverse proxy.
    • A static key when I'm really time constrained (but usually I'll continue looking for a better alternative)
    • Custom OAuth server when I want to stay in control of user management (I'm running Identity Server, a .NET OAuth/OpenID implementation)
    • Any 3rd party OAuth provider such as Facebook, Google, Twitter, GitHub etc when I only want to verify an users existence.

    Usually I try to go with a pre-made library as it takes a lot of effort and in-depth knowledge about the environment you're operating in to make sure your endpoints are secure.

  4. 1

    Id highly recommend Auth0. It really future proofs a lot of security features.

    But if you are just looking for something dead simple, you could easily roll your own. Just pass in a string and check it against a DB or JSON file.

  5. 1

    If you are only worried about unauthorized users, then something as simple as assigning all valid users a unique "key" that must be included with every call. Although, if you are worried about securing it, it really is not much effort to implement 3rd party authentication, i.e. Google, Yahoo, Facebook signin.

  6. 1

    basic auth. user logins with user/pass and you generate api key that is used for auth of the api

  7. 1

    There's a lot of options out there. What cloud platform are you on? AWS for example has a service for this called cognito: https://aws.amazon.com/cognito/. Also, Auth0 is cloud platform agnostic solution that takes care of the oauth hassle for you: https://auth0.com/.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 47 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 27 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments How I Launched FrontendEase 13 comments