I am planning to code a vue web app that accesses backend through API. The web app its self has a front end and a backend that requires login. I intend to grant api access to the web app, an android app and ios app. Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta. Can JWT work in such cases?
Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
Auth0 and Okta are authentication providers that use OAuth2 and/or OpenID Connect standards to Authenticate users, and the resulting token is a JWT, more precisely a signed JWT, that is known by JWS:
A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard (RFC 7515) for signing arbitrary data.
This is used as the basis for a variety of web-based technologies including JSON Web Token.
Can JWT work in such cases?
Yes, you just need to find the correct packages to use in your API server and frontend.
To bear in mind that user Authentication only identifies Who is in the request, not What is doing the request, and in my experience I see that this is a common misconception among developers, no matter if juniors or seniors.
I have written a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? I go in more detail about the difference between Who and What is accessing your API server:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
I hope that after reading it you are now conscious that the Who is the user your API server will be able to Authenticate and Authorize access to the data, and that the What is the software making that request in behalf of the user.
I intend to grant api access to the web app, an android app and ios app. Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
Well you bought yourself a hard problem to solve, but we developers love challenges, don't we ;)
While user authentication may let the API server know Who is using the API, it cannot guarantee that the requests have originated from What you expect, the original version of your mobile app or web app, and for your surprise you may end up discovering that sometimes your own legit users may try to bypass your services and use repackaged versions of your mobile app or automated scripts to have access to features or benefits they wouldn't have otherwise.
To defend your API server you need to apply defense in depth with as many layers as you can afford(just like was done in castles in the past centuries) and may be required by law or specific market regulations.
In the context of a web app you may want to follow my advice on this answer to the question secure api data from calls out of the app, specifically the section entitled DEFENDING THE API SERVER.
For mobile apps, the API server can have more confidence in What is making the request when the concept of Mobile App Attestation is being used, and you can read this answer I gave to the question How to secure an API REST for mobile app? to have more detail. You will be looking to read specifically the section Securing the API Server and the section A Possible Better Solution.
In any reply I gave to a security question I always like to reference the excellent work from the OWASP foundation, that can help you strength the secuirty of your application and servers.
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.