fusionauth-issues
fusionauth-issues copied to clipboard
FusionAuth
API keys for application
API keys for application
Problem
FusionAuth allows for the set up of API keys that restrict access to the FusionAuth API. Is there any intention for FusionAuth to be used to allow the set up of an API key that can be used by the application to allow tenant-specific access to the application's API?
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
If I understand the request, we do allow you to create an API key that can only work for a specific tenant. (i.e. can only access users, groups and applications in a tenant)
https://fusionauth.io/docs/v1/tech/tutorials/tenants#make-an-api-call-for-a-specific-tenant
Or are you saying you'll have many tenants, and many applications in each tenant, and you want the API key to only work for one application in a specific tenant?
From what I've seen and read, I got the impression that the optionally tenant-specific API keys that can be configured with FusionAuth or only for accessing the FusionAuth API.
This request is about being able to configure API keys for application API calls.
Making up an example, supposing that my application uses FusionAuth for its user directory and authentication. Suppose that application has a GET /widgets API etc. I'd like to be able to setup an API key that limits access to that application API.
On Sat, 20 Apr 2019, 14:41 Daniel DeGroff, [email protected] wrote:
If I understand the request, we do allow you to create an API key that can only work for a specific tenant. (i.e. can only access users, groups and applications in a tenant)
https://fusionauth.io/docs/v1/tech/tutorials/tenants#make-an-api-call-for-a-specific-tenant
Let me know if I'm not understanding the request.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FusionAuth/fusionauth-issues/issues/133#issuecomment-485121663, or mute the thread https://github.com/notifications/unsubscribe-auth/AAE6N6SHDCQEYAWFRHH57GTPRMMRNANCNFSM4HHJNAQA .
Ah, ok, I think I understand.
You can limit access to the Application API, you can toggle on GET, DELETE, PUT, POST (for example) for the /api/application row in the API key table. This will limit this API key to these API requests.
This will not limit the request for a specific application by Id which I think is what you're getting at?
When you say application, do you mean a FusionAuth application, or as a general term to mean users, groups, and applications for your "application"?
I see what you are looking for. Currently, FusionAuth doesn’t support managing API keys for your backend APIs. If you are using JWTs, then you can use those as your API key. We have these flows documented here:
https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows
Your use case might use this flow:
https://fusionauth.io/articles/logins/webapp/oauth-authorization-code-grant-jwts-refresh-tokens-cookies
Otherwise, you would need to build an API key tool yourself currently.
Let us know if the JWT solution won’t work and we can see if this feature request will get upvoted to be included in the next release.
Hi, first of all thank you for your hard work!
I'd also like to have this kind of mechanism implemented for managing browser and non-browser authentication and knowing which user is consuming an application/service (and limiting and tracking and so on).
I try to briefly descrive a use case here:
For instance imagine I have a service that makes some useful computation and I want (all or some of - rbac based) my registered users to consume it within the limits I can set for its usage (probably in the app/service business logic itself?), and the possibility to revoke this authorization in any moment. Consumer can be anything from web page to another service.
I'd need a way to issue (and revoke) one or more api keys for a given <application-registered_user> pair and track (monitor, count) all requests made with each api key, even when it is a B2B service authentication, i.e. one of my user has a server that consumes my service API using this api key mechanism.
Hope this is what @scopendo meant (more or less), and that this could actually be a feature and that could get upvoted and maybe implemented. It would be great.
EDIT: probably similar to this https://apiumbrella.io/ (never tried yet, just googled for it)
We have done something similar and used FusionAuth to facilitate this
We have several API's that are used by our public Web Applications, other Service API's or back office applications running tasks etc. We needed a way to provide API keys that our applications could use to pass around without being a particular user. But we also wanted FusionAuth to handle the authentication. In this particular use cases we decided that authorization (access to specific endpoints etc) should be handled by the application itself as each API has its own specific endpoints and actions.
We can also limit the use of these API keys to HTTP Referer, IP Restrictions and which services the key can be used with, almost the same as Google's Cloud Platform credentials (API Keys). This is essential particularaly for our public facing API keys as it prevents the API being stolen
For context our API's are written using ASP.NET Core, also I think its widely acknowledged that API keys are as good as a password
In fusion auth we have created a specific 'Service' tenant where we create applications for all our Service API's. Users can then be created which are scoped to that tenant, these users are our API keys!
We use the Custom Data section on a user to store our HTTP Referer restrictions, IP Restrictions and Application/Service restrictions. These are stored as JSON in a consitent structure that all our services can read.
Essentially what we have done is wrote authentication middleware which is added into all our services (via Nuget packages). The middleware looks for the presence of a particular header key and value e.g. "X-API-KEY: gskhskhgsf" takes the value, which happens to be the API key users ID and then sends a login request to fusion auth. If the request is successful the user is returned along with their custom data. The user is also checked to see if they are active. The middleware then reads the JSON data and creates the appropriate 'rules' out of each entry. If any of these fail the request is rejected with a 401:
Incoming request has no referer but user data contains HTTP referer restrictions - FAIL
Incoming request HTTP referer is not listed in user data - FAIL
Incoming request IP is not listed in user data - FAIL
User data contains application restrictions and receiving API application Id is not in the list - FAIL
If authentication passes then the User is transformed into a claims identity and restricted or allowed endpoints, and other rules are added to that identities claims. This helps us with granular permissions such as limiting API key access to specific endpoints, for example:
User data contains endpoint restrictions and requested endpoint is not identity claims - FAIL
The great thing about all of this is that if an API key is comprimised in anyway we can easily login to fusion auth and disable the user which would disable the key entirely.
We have also created an in house app to create API keys for us and assist us with adding the restrictions in the expected JSON format (as doing this manually everytime would be asking for human error). The in house app has further knowledge of our API's endpoints which allows us to list and them out and add them to keys if needed.
I hope this helps anyone, please feel free to ask any questions
Thanks for your detailed use case and explanation @tombeany. That is great!
@tombeany I was curious, I see mention of the username, but not the password. How are you handling passwords in your scenario? Are you using application authentication tokens https://fusionauth.io/docs/v1/tech/tutorials/application-authentication-tokens ?
@mooreds You have a couple of options.
- As mentioned previously an API key can be as good as a password, so you could use the FA user id itself as the password. You can generate a uid when creating the user and set that as both the user id and pwd. The key itself can then be passed as the login id and the pwd
- Use some sort of internally known pwd that only your API services know which you can send along with API key login attempts
- Use authentication tokens as per the tutorial, we where previously using this technique however we noted that if the registration was changed at all then the registration token changes causing the API keys to break
In version 1.26.0 - you can use entities + client credentials to pull this off as well. This is probably the ideal solution as it allows for fine grained permissions assigned to the JWT that will be used to access your application.
If anyone has implemented this with FusionAuth Entities, you please comment and let us know how it went? Also let us know if you'd like to do an interview or blog post together. Thanks!
Here's a livestream I did where we implemented this: https://www.youtube.com/watch?v=MdsVVlfSpw4