29

I have an implementation for an internal API, the requirement is to implement some sort of basic authentication instead of oauth (generating a token).

Do you think there's any difference between using just an API key vs using a client id + secret?
For what I see it'd be just like saying "using a password" vs "using a user and a password".

you are viewing a single comment's thread
view the rest of the comments
[-] pe1uca@lemmy.pe1uca.dev 2 points 1 year ago

Oh, yeah, I had forgotten about this kind of attack.

Do you think this is a concern if the calls are only meant to be done in an internal network?

[-] TootSweet@lemmy.world 4 points 1 year ago

I'd consider it a concern if I was in your shoes, yes. Mostly for the reasons jflorez mentioned.

Major security breaches wherein an attacker gained has access to an internal, private network happen not infrequently. Target (the retail chain) leaked a ton of their customers' credit card to attackers over the course of (IIRC) months. The attackers couldn't have done it (at least not in the way they did) without first breaching Target's private corporate network.

[-] jflorez@sh.itjust.works 2 points 1 year ago

Never underestimate the risk of an attack coming from the inside.

Also once you have an implementation with a certain kind of authentication other devs are likely to copy what you have successfully deployed and then your security assumptions will make it into public facing code without much consideration

this post was submitted on 21 Aug 2023
29 points (100.0% liked)

Programming

17314 readers
139 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS