security - Securing an existing API with our own solution

Question

I have to design a mobile application that interacts with a provided API to exchange data and info, and I've read about API security, Oauth 2, tokens, .... etc, but something still not clear to me, the following are the important points:

• API provided by a 3rd party as a black box, no security implemented, so you can query for data belongs to any user.
  

• a user should use our application, sign in with a user/password and get access to his data only. (must be very secure, because we should pay a lot if security was broken)

• the solution needs to be implemented and self-hosted, not from a third party or cloud provider.

example of an API call:

....base url...../{subscriber-ID}/offers

the above call get the suitable offers for a subscriber whose ID is {subscriber-ID}, so obviously, without security, I can query offers for any subscriber, but my goal is to link between user/password and querying only data related to the desired user.

I read a lot, but I'm confused since I'm new to API security. so where should I start? how can I benefit from Oauth 2 in my case? just need a roadmap, not how to implement.

Answer 1

oAuth2 using spring security is a solution for this requirement.

There are 4 grant types in oAuth2 which is meant for different scenarios.

1. client credential : the consumer (app) make calls to back-end using the bearer token created using apikey(or clientId) and secret only. Mostly used for anonymous calls where generic information is retrieved.

2. Resource owner password credential (ROPC) : the consumer (app) make calls using the bearer token created using apikey, secret, username and password. Mostly used when you(your authorization server) already know the users(user database is handled in your own system).

3. Authorization code : the consumer (app) make calls using the bearer token created using an authorization code. The authorization code is provided by a 3rd party (which actually has/manages the logged in user data) and the created authorization code linked to the logged in user. Google and Facebook log in for various sites is a typical example. Facebook/Google gives an authorization code for those websites and they exchange that code for a token.

4. Implicit grant : Mix of password credential and authorization code. Instead of authorization code, you get a bearer token from the 3rd party authorization server.

I have been searching a lot for a simple sample code for an authorization server, but never found one. So, I tried to create it myself which you can find here : https://github.com/abbinv/oauth2Server. Only ROPC and Client Credential is implemented.

It is not a 'beautiful' code. But i think you will get the basics.