0

Context

I'm trying to build an hybrid multi-tenant API using OAuth2.0 using Laravel 8 Passport, so my system has 2 parts: one process the request from the tenant application, and the other part process the request from my front-end which allows to enable/disable features on the tenant application

Research

I'm confused with OAuth2 flows, I found multiple articles about OAuth2 flows but these 2 are the best from my point of view:

DigitalOcean Article

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

OAuth2 flows

OAuth 2 defines three primary grant types, each of which is useful in different cases:

Authorization Code: used with server-side Applications

Client Credentials: used with Applications that have API access

Device Code: used for devices that lack browsers or have input limitations

In my case I didn't find useful device code, so I am going to paste only Authorization Code and Client Credentials

Grant Type: Authorization Code

The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user’s web browser) and receiving API authorization codes that are routed through the user-agent.

Grant Type: Client Credentials

The client credentials grant type provides an application a way to access its own service account. Examples of when this might be useful include if an application wants to update its registered description or redirect URI, or access other data stored in its service account via the API.

Paradigma Digital Article

(Sorry this article is in Spanish because its my native language, I pasted in English the fragments that I consider relevant)

https://www.paradigmadigital.com/dev/oauth-2-0-equilibrio-y-usabilidad-en-la-securizacion-de-apis/

OAuth 2 Flows or grant types

OAuth flows also called grant types refer to the way an application obtains an access token that allows it to access the exposed data through an API.

The existence of these flows by the standard arises to respond to all the business scenarios that can occur in the consumption of APIs according to three variables:

The type of consuming application.

Your degree of confidence.

How is the interaction by the user in the process.

Grant Type: Client Credentials

This flow represents the case in which the application belongs to the user, so there is no need for the user to authenticate or help the authentication server in any way to decide if access for that application is guaranteed, that is, the access token sent by the server is obtained by authenticating only the application, not the user.

The main difference with the rest of the flows is that the user does not interact in the process, so the application cannot act on behalf of the user, only on its own behalf.

WHEN IT'S USED?

Consumer application type: Internal applications of the organization or the data that the API exposes is not sensitive.

User interaction: none.

Application confidence level: high, usually internal, or the data exposed by the API is not sensitive.

Communication type: server-server.

Grant Type: Authorization Code

This flow is characterized by user intervention to explicitly authorize access to their data by the application and by the use of a code provided by the authentication server so that the application can obtain an access token.

WHEN IT'S USED?

Type of consumer application: web applications, it can also be used in mobile applications, but without storing the client secret and making use of the PKCE extension, which protects against attacks that intercept the authorization code. Degree of trust of the application: an untrusted third party.

User interaction: explicit consent through a browser.

Communication type: commonly used in client-server communications.

Questions

From my point of view I have to use 2 flows: Authorization Code with PKCE for requests from the tenant application (considering that it is an untrusted third party) and Client Credentials for request from my front-end

Can you give me additional beginner-friendly resources to know best practices of OAuth flows (storage, requests, etc)?

What do I have to keep in mind?

Can you give me some tricks?

Can you explain me OAuth flows better or with the resources I have is enough?

How Google Cloud services such as Google Maps API Keys work?

What type and flow of authentication do they use?

Why do they generate client and secret API Keys?

Am I in the right path?

IF NOT

Which flows should I use for my multi-tenant API and why?

Can you give me some resource to help me understand OAuth2 better?

Useful links

You can read more about Laravel Passport here:

https://laravel.com/docs/8.x/passport#deploying-passport

You can read more about hybrid multi-tenancy here:

https://blog.sharetechlinks.com/hybrid-multi-tenant-saas-application-system-design/

Ger
  • 143
  • 6

1 Answers1

0

Only PKCE is considered best practice for authentication where your client cannot securely store a secret. Think of an SPA that does not share the same TLD. If you're on the same domain or a subdomain passport can set an http only cookie when your client uses the normal laravel login. The jwt is only needed if you're on different domains or need that portability.