Currently, I am working on an open source project. I have a server which uses NodeJS and Express. This Server also has some REST-Interfaces.
Now, I want that other people should be able to use the REST-Interfaces after logging in with OAuth. This already works in combination with PassportJS. The only problem I have is that, the main Application which uses the same REST-Interfaces also has to go through the "An Application wants to use you data. Do you allow or deny" process.
I think this is not a very good solution. When I look at Github, Microsoft, Google, which use OAuth I don't have to allow access to my Data when I login. This is needed only when external applications want to use their Interfaces.
Now the question is that how can I say that the main application can access the Interfaces when the user logs in but external persons can only access the Interfaces when they login with OAuth.
Greetz
By splitting the traffic into external and internal, in future you can route your external parties through an API proxy with a different authentication/authorization mechanism and use it to meter the calls used etc.
Yes, it is a good idea to differentiate between the external and internal users.
Joel Jensen
Loves all things tech
I find your question a little bit hard to understand. Here is my understanding :
If this is correct, I would suggest you to proceed in the following way :
Have different REST APIs for different purposes. Don't mix up the APIs meant for your normal users with those used by external apps. If some logic should be reused, put it in a module and just require it from different route handlers.
Protect the APIs meant for external apps with Oauth strategy.
Protect the APIs meant for regular users with a different authentication mechanism e.g. passport-local.
Let us know if this solves your problem or you meant something different.