Securing a REST APIS without UI front

Hi community, I am pretty new to OAuth and Auth0 in general.

Our team has a web application that produce data via REST API, that application doesn’t have a UI, users and downstream services invoke the API URL directly to get the data.

Our company has an okta supported authentication platform and OAM and LDAPs
Our new requirement is to secure the application and user/service identification as to who/what accessed the API, most importantly the what(service) since those can just invoke the API without any OAM injected headers for us to verify, in future we will also need to secure some API based on group of user/services access right(role), the application was written in java with spring boot, we tried to stay away from rolling out own authentication/user account/pass management.

Am I right that to say in my case, both the service and actual human user who invoke the endpoint is both the client application and resource owner since there is no end-user authorization needed.

What would be the best approach to adapt a appropriate framework to achieve this?

Thank you.

Hi @zying,

Welcome to the Auth0 Community!

It sounds like you are planning on registering multiple machine to machine connections. If you want to register clients programmatically, that can be done using the Management API v2. Otherwise you can manually register clients through the auth0 dashboard.

If you are planning on having users log in to an account where they register their own applications then you will have to have some UI and user authentication layer on top where a user can go and get their client id and secret. Otherwise it will more or less just be registering M2M connections.

A lot of this depends on how you are planning on setting up your clients, manually, self-service for users, or otherwise.

Take a look at these links for some more info about M2M and client credentials grants:

I can help further if you can elaborate on the use-case and the expected setup flow and what that will look like.

Thanks,
Dan

Hi @dan.woda, thank you for the reply. I will sure checkout the links you provided. My application is a simple spring boot that contains multiple REST api, when invoked, it returns json data. This spring application has no UI on top. The consumers of the application are corporate employee and “services”(non-human, ex: scripts, programs). Corporate employee are all in a LDAP. My goal is to secure the application so that all corporate employee can access the endpoint while logged in the corporate network. Those service will have to be managed by us, so any service like to access the endpoint, will need us to register for them, then we provide them the necessary info for them to access. On top of that, once the previous part is setup, we like to impose the security on specific user/service so they can only access the endpoint they are authorized to. So the application(autho,okta,keycloak etc) needs to able to authenticate both individual employee and services/machine. Does that involve 2 different authentication-flow in any of the OICD provider? Can it be done?

@zying,

You shouldn’t have any problems setting up the LDAP connection, look here:

You can whitelist your corporate network IP in a rule, limiting access to only that network. Check out this rule you can add during the authentication process:

You can register your apps with limited scopes. The following doc has some examples of what that looks like:

For users, you can implement Role Based Access Control to limit their roles and permissions. Take a look at this example:

How are your users going to access the API endpoints? With some sort of SPA/web/native app UI? The flow you use for them will depend on what that looks like. For the machines you will likely want to use the client credentials grant.

I am not intimately familiar with spring boot, but we have a blog post that might be useful. Otherwise I can ask for some extra assistance on that aspect.

Hopefully that helps!

Thanks,
Dan

Hi thanks for the valuable info provided. I was able to implement the service to service flow.

My next question is: is it possible for one single REST application to support different grant flow? For for service-service which I just implemented and one for resource owner password credential grant?

1 Like

@zying,

Just to clarify, are you saying you have a REST API that is serving multiple types of applications? As an example, a calendar API that serves data to a SPA and a server?

If the answer to this is yes, then yes you can do this.

Thanks,
Dan

In my case, “multiple type of applications” are end users who invokes on the URL directly in their browser and application(services) consume data via curl or other program (non web UI client application).

If I understand you correctly this should certainly be possible. A web app/SPA for users that need to log in and a M2M connection for your services.

For regular web app:
https://auth0.com/docs/flows/guides/auth-code/call-api-auth-code
For SPA:

For M2M: