Protect the API by token/api key

0
votes

A newbie question about API security:

When I applied API service from some API providers, usually I just login and generate an api key or token in their api management site. After that I can embed this api key or token in the request to access the API.

I was told that the this is OAuth 2. But, after reading a few articles about OAuth 2, it seems the OAuth-2 token issued from OAuth server will expire and a refresh-token is required to fetch a new token.

But the API keys I got from those API providers does not mention about the expiration, instead, I can manually revoke the API Key on their API management site.

So, if I have some APIs which I want to use the similar way (let the user manage their own api key on my site) to protect, how can I achieve that by using the OAuth 2 server?

1
oauth-2.0spring-security-oauth2api-key

1 Answers

1
votes

I think what you explained above are 2 different ways to authorize a request:

A. Using API Keys

  • These API keys are usually a long string that you generate inside a dashboard
  • You as a developer would usually have 1 API key throughout your app, and you append this API key to requests to the API provider

B. Using OAuth 2.0

  • OAuth 2.0 uses a different kind of token to authorize requests, it usually involves a short-lived access token and long-lived refresh token.
  • These tokens are usually for Users, each user will have a different token that expires every X days.
  • To acquire a token, the user has to "log in" to your site or an Identity Provider's site (like Google Accounts) and enter their credentials every time the token expires.

Here's a picture to show the difference:

OAuth 2.0 vs API Keys

If you want to provide an API service for other developers:

  • Use OAuth 2.0 to log in the developers to their dashboard (this means your server routes that interact with the dashboard would be protected by the OAuth 2.0 tokens, requiring the developer to log in to update some settings)
  • Use API Keys to access your provided API routes. Developers have to log in and generate API keys from the dashboard. Then they can use this API key to fetch resources from your API.

Here's a more thorough explanation about OAuth 2.0, access tokens, and how to implement it on your site.