-1

I have a REST API with protected endpoints, which require an AccessToken for access. For the user to receive the AccessToken, they need to access the login endpoint and with the correct credentials (username/password) the AccessToken will be returned to them, as well as the RefreshToken, via HTTP-Only Cookies. So far so good.

In this same REST API, I have other endpoints aimed at issuing reports that should not be viewed by users with logins and passwords, but rather by a website that I built in NextJS. Some website links will have access to these other endpoints. In this case, it would be strange for me to create a login/password for the website. What type of authentication would be suggested in this case between my website/my REST API?

PS: My client website already has its own authentication system and these REST API points are administrative and will only be accessed by the website, they will not be accessed by a common client with an app that requires an AccessToken to load its own data... If I Using the REST API authentication system, I will have to create an administrative user for each user who already has a login on my website, force them to log in again by sending the credentials as if they were a regular user. I don't know how to proceed in this case, but from what I've been studying, the ideal solution would be to use the concept of API KEY, which from what I understand would be a key that would only be known by my website (server side) and by the REST API to check each request.

Improve this question
22
  • … it would be strange for me to create a login/password for the website” Why…? How much different is this than issuing a client ID and client secret?
    – esqew
    CommentedJan 11 at 1:03
  • And who are the users of your NextJS app? Are they people or other programs?
    – Greg Burghardt
    CommentedJan 11 at 1:15
  • 1
    "In this case, it would be strange for me to create a login/password for the website." On the contrary: that's exactly what you should do.
    – freakish
    CommentedJan 11 at 6:57
  • @GregBurghardt... In fact, only users who have access to these pages, through the site's own authentication system, will access them and therefore they will consume the REST API that uses another authentication source. I discovered something called API KEY, which seems to fit very well with what I want. In this REST API, these endpoints will only be accessed by my website and through these pages. I am calling these endpoints through an Action Server (NextJS) sending an API KEY and there in the REST API I check on these endpoints whether the API KEY checks, and if so, access is granted.
    – Joao
    CommentedJan 11 at 14:23
  • @esqew Because my site has your own authentication system, different from REST API authentication. These are administrative endpoints that will be used by this website. It would be redundant for the website user who has already logged in and has administrative privileges to have to log in on another screen providing the REST API credentials just so that these pages have access to these endpoints. Did you understand?
    – Joao
    CommentedJan 11 at 14:31

1 Answer 1

Reset to default
-1

OAuth (link)

Although it is always best practice to plan security implementation right from the start of development, OAuth offers many good and modern options, any method that OAuth provides is good to go, in a way that is not too complex to implement over existing projects.

To determine the best method, one would need to be familiar with the codebase and project requirments.

Improve this answer

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.