Secure APIs which are called from native apps via browser

Hi,

We have a requirement where a web application will invoke one of our API proxies in a native manner via a browser. We are trying to find out what will be the best possible way to secure the API proxy, as any key/client credential stored for authentication at client side will be visible in the browser logs/console.

Has anyone encountered a similar scenario ?

Solved Solved
1 2 670
1 ACCEPTED SOLUTION

hi @snehal chakraborty -

Your question is not uncommon.

By now you've thought about the issue and are aware of the challenge of storing and managing secrets in a web browser.

There are various approaches to address your concern. One way is for the web server that serves the browser page to

  • authenticate the user
  • then, embed a nonce into the page (except it isn't really a nonce, it's just a short-term secret)

Subsequently, all API calls originating from that browser page will carry that nonce to the API Endpoint, and the API Endpoint (maybe Apigee Edge) will need to validate the nonce. The details of generating and validating the nonce at various points (or even extending the lifetime of the nonce) are up to you to arrange; you could rely on the Apigee Edge cache to store a nonce and manage its lifetime. The web service could request a nonce from Apigee Edge before serving the page; then the page itself could directly invoke APIs exposed in Apigee in order to have the nonce be validated.

The reason I call it a nonce is, Wordpress does this, and they use that term. The discussion at that link should persuade you that this is a general problem, not related just to Apigee of course.

By the way, Here's a similar question that was asked and answered here on the Apigee community site last year. Have you seen it? What do you think?

Let me know if this helps, please!

View solution in original post

2 REPLIES 2

hi @snehal chakraborty -

Your question is not uncommon.

By now you've thought about the issue and are aware of the challenge of storing and managing secrets in a web browser.

There are various approaches to address your concern. One way is for the web server that serves the browser page to

  • authenticate the user
  • then, embed a nonce into the page (except it isn't really a nonce, it's just a short-term secret)

Subsequently, all API calls originating from that browser page will carry that nonce to the API Endpoint, and the API Endpoint (maybe Apigee Edge) will need to validate the nonce. The details of generating and validating the nonce at various points (or even extending the lifetime of the nonce) are up to you to arrange; you could rely on the Apigee Edge cache to store a nonce and manage its lifetime. The web service could request a nonce from Apigee Edge before serving the page; then the page itself could directly invoke APIs exposed in Apigee in order to have the nonce be validated.

The reason I call it a nonce is, Wordpress does this, and they use that term. The discussion at that link should persuade you that this is a general problem, not related just to Apigee of course.

By the way, Here's a similar question that was asked and answered here on the Apigee community site last year. Have you seen it? What do you think?

Let me know if this helps, please!

Thanks for the suggestions