Oath2 support to overcome exposed API Key?

  • Resolved C Green

    (@cgreen177)


    3 years, 4 months ago

    I love the plugin, and it works really well. But I have a concern that the users API Key is exposed in the request URL and so could be subject to abuse by bad actors. Do you have any plans to incorporate oauth2 into the plugin? It seems this would solve that issue

    https://osdatahub.os.uk/docs/oauth2/overview

    `Using the OAuth 2 API,

    You can:

    Create time limited access tokens.
    <em><u>Hide your API access credentials from end-users.</u></em>
    Restrict the available APIs within the project.`

    Would be interested in your thoughts on this and whether it is achievable
    Many thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author skirridsystems

    (@skirridsystems)

    I did raise that concern with OS when the new APIs came out. They thought it was unlikely to be a problem in practice but that there is always OAuth.

    In order to get the OAuth token, the mapping javascript would have to send a request to the WordPress server which would in turn use its stored credentials to request the token and return it to the client. Normally you would require the WordPress server to check who is making the request before going to the OS API to get the token, typically by checking that the user is logged in. But in most applications the website viewer is not logged in, so the server would have to accept anonymous requests. That puts you back to square one because anyone can use your endpoint to request an OAuth token and use it in their own map requests.

    If you have any good ideas on how to make this work better then I may be able to look at implementing something.

    Thread Starter C Green

    (@cgreen177)

    Thanks so much for the reply – no ideas here I’m afraid. I had hoped OS would allow endpoint url restriction on the API (like google do) as that seems like a relatively straightforward way to secure it. But no!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Oath2 support to overcome exposed API Key?’ is closed to new replies.