Suppose you have a fairly large project, the heart of which is some kind of API. Technologies are not important, but for context: PHP7 and GraphQL.
Then there are some clients that work with the API:
- CLIENT1 – control panel (admin) / ReactJS
- CLIENT2 – client for guests / PHP
- CLIENT3 – personal account for registered / ReactJS
- CLIENT4 – blog / PHP
Now the user is authenticated to the API through the JWT-token. In short, we make a request with a login and password, receive a token and use it to make already authorized requests.
Then I was faced with the following question: how to authenticate clients?
The API has a number of requests that JWT does not cover, that is, data for these requests can be obtained without authentication. For example, a user visits CLIENT4, CLIENT4, in turn, makes an API request, gets a list of articles and shows them to the user (the user can be a guest). Everything is correct here.
However, there remains such an option when the user can bypass CLIENT4, make a request to the API and receive data directly. The question is, what is the best way to close the API from all direct requests and only give access to certain clients?
Some additional thoughts.
A good and secure option would be to restrict access and make the API local, however some clients may be on a different server or require external access (eg mobile devices).
I refused to use the OAuth2 protocol, since, in fact, there is no third party in the project. Therefore, it turns out not quite what is needed.
The only option that comes to mind so far is some additional token that is stored by each client and gets access to the API by substituting in each request.
Actually, I would like to receive tips / recommendations, perhaps links to technologies / protocols that I missed.
Think in the direction of certificate authorization. Generate a self-signed certificate for each client. Configure apache2, nginx, etc. (I don’t know what is your server) to access certain URLs using certificates. In especially protected cases, you require the client to sign each of his requests to the server with his private key, check the signature on the server side with the client's public key (since you issue the certificate, you have it).