Search code examples
web-servicessecuritysingle-sign-onws-security

Web services and authentication & authorization dilemma

Current set-up:

  • App2 is an existing web app created to enable users to do transactions. Has login. Accessed globally.
  • App1 is a purely informational app with no login. Accessed globally.

Proposed changes:

  • App1 will now have user login and some new functions
  • Part of its new functions is to have some of the transactional back end of App2

Plan

  • Create web service in App2 to expose functions that would be accessed by App1.

Dilemma

  • The web service exposed by App2 should only be used by logged in users from App1.

Settings

  • App1 and App2 are deployed on the same app server (and will likely have this setup for a long time)
  • App1 and App2 has a different set of users from different databases.

Question:

  1. whats the best way to solve the dilemma?
  2. Would it be practical just to copy App2's back end in App1 instead?
  3. Would having the two apps as Single Sign also be a practical choice? (e.g. just provide a direct page link in App1 to App2 while under SSO. )

that is all. thanks. Any advise would be appreciated.

Solution

  • The solution to this problem is part of any token based authentication solution.

    After your users authenticate against App1, you allow them to retrieve a token to access the API in App2. This token must be signed (to guard against tampering) and contains a relying party identifier or audience URI.

    The API you expose in App2, checks whether the token is valid and is intended for use to call it (has correct relying party identifier or audience URI).