Ways to Secure REST APIs

REST API is an application interface that allows an application to expose its resources securely to client applications. REST APIs let you integrate with Jira by querying and modifying data in your Jira application. Since the rest APIs are open to the internet and anyone can use them to gain illegitimate access and modify sensitive resources, it is crucial to authenticate each API call made to the server.

Authentication methods to Secure APIs are as follows:

  • Basic Authentication
  • API Key Authentication
  • OAuth 2.0 Authentication

We will learn about them briefly below.

 

Basic Authentication:

Basic authentication is a simple authentication scheme built into the HTTP protocol. In Basic Authentication, the client sends an encoded username and password for authentication. Since username and password sent can be easily deciphered, there is an inherent security vulnerability when using Basic authentication. With basic authentication, every API call is an opportunity for credential theft, which is not ideal. Hence not it is not recommended.

Basic Authentication.png

 

Authentication methods for SSO Enabled Jira Server:

If the application is federated using SSO protocols such as SAML/OAuth/OIDC, the user generally does not know his/her application credentials. The user only knows the credentials of the Identity Provider. Hence basic authentication in such cases does not work. In this case, you can use the methods below.

 

API Key Authentication

Use API Keys as an alternative to basic authentication to protect your REST APIs from unauthenticated users. API Key authentication generates a random authentication key for you. Using this key, you can authenticate the REST API by sending it in the authentication request instead of a password. For more security, you can revoke & generate API keys.

From a usability point of view, there are some pros to using API Keys.  One of the clear advantages is its inherent simplicity as well as security. A single identifier is simple, and for some use cases, the best solution since they work better as unique app identifiers. We provide support for API key Authentication where you can additionally control which users can call the REST APIs.

API Key Authentication.png

 

REST API Authentication using OAuth 2.0

This method allows you to authenticate the REST APIs of your application using any OAuth/OIDC providers. A client calling a REST API can fetch an access token from the OAuth/OpenID provider and use this access token to authenticate an API call.

It is fundamentally a much more secure and more powerful method than the other approaches, mainly because it allows the establishment of scopes that can restrict or provide access to different parts of the API service. It is the best solution for those who have external OAuth providers. As an added advantage, the token gets revoked after some time, making it much harder to be re-used by attackers. 

OAuth 2.0 Authentication.png

 

Try out our REST API Authentication app. The app supports various methods like API Token, OAuth 2.0/OpenID token, etc. and it also provides configurable access control to block the REST API calls made using basic authentication or OAuth 1.0.

For detailed information about our REST API Authentication app, please refer to the link.

In case of any queries, please feel free to drop us a mail at info@xecurify.com.

3 comments

Comment

Log in or Sign up to comment
Matthias Gaiser _K15t_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 21, 2021

@Shradha Kamble - if I'm fine in using API Tokens, could you tell me what's the advantage of using your app vs using Atlassian's built-in mechanism?

Devin June 21, 2021

API keys are for projects or applications, authentication is for users. For Example, Google Cloud exposing API Keys to access it and identify the application.

While API keys identify the calling project, they don’t identify the calling user. For instance, if you have created an application that is calling an API, an API key can identify the application that is making the call, but not the identity of the person who is using the application.

JCPenney Kiosk

Shweta Vispute June 21, 2021

Hello Matthias,

This plugin has some demanding functionality in addition to the basic API Token feature, such as the ability to set the API Token's maximum expiry time, some automation tools demand the bearer token instead of basic authentication, and you can send the API token as a Bearer token using our plugin. This plugin also has the ability to restrict access to Rest API based on IP address and user groups.

The plugin also supports JWT token and OAuth 2.0 authentication, as well as providing configurable Access Control to Jira's default authentication methods such as basic authentication and OAuth 1.0.

I'd like to add to Devin's point that API keys are sometimes required to identify the user rather than the application. The user-specific API Token option is available in this plugin.

PS: I am a developer at miniOrange, a Top Atlassian SSO Vendor!

If you have any questions about it or would like to discuss it further, you can reach out to info@xecurify.com.

I hope this helps you!

Thanks,
Shweta.

Like # people like this
TAGS
AUG Leaders

Atlassian Community Events