Make PayPal REST API request on behalf of merchant via OAuth - rest

I want to add PayPal REST API capabilities to our shop software. Unfortunately it seems there is no way to automate to process of connecting the merchants account to our system. It looks like if you use the REST API you need to ask for client ID and secret. Then you trade that information for an OAuth token. However this is not the normal OAuth flow, which has a step that asks for users permission and does not require credentials to begin with.
These two topics basically cover the same issue, but are rather stale:
paypal rest api credential via oauth
Is it possible to use `Log In with PayPal` to make REST api requests on behalf of the user?
Does anybody know if this is possible in the meantime? I find it rather strange to design a RESTful API with OAuth capabilities and then not using it by allowing people to automatically ask for access rights on behalf of the merchant? This makes is somewhat useless for all shop software doesn't it? Well at least inconvenient.
Or is there maybe a way one could use the old API to obtain an access token that can also be used with the REST API?

Have you looked into the Permissions API?

Related

Securing an API called by the end users of a client

I am building an API meant to be sold to various clients. These clients will be given an API Key or something similar and they'll use the API in a widget on their website.
The end users of the clients' website must be able to use the widget anonymously (no login).
Workflow:
My current idea is to have the Client's server retrieve a temporary key and use that in the webpage. The End user's browser will use that temporary key to call our API.
Is there any reason why this is not a good practice and/or insecure?
Or is there a better good practice solution? Can I for exmaple use OAuth 2 for this?
You need to secure your API from the clients app. So, for that you can use OAuth 2 with Client Credentials grant type and setup each client as an app so they each get their own set of key/secret credentials.
Since you don't know anything about the end user, but still need to track them, require an endUserId custom header on every request to your API and you'll just have to trust the client to provide you with a valid id for the end user making the request.
To setup OAuth, use an existing library or OAuth service. I don't recommend writing your own. If you can spend some money, Okta and Auth0 are good choices. If your API is written in .net, you can use IdentityServer as a free option.

Using Cognito for REST API authentication

I'm looking to use API Gateway + Lambda + Cognito User Pools to build a simple REST API.
The API will be used in two ways. The first is to support a basic web app (hosted on CloudFront + S3). Authentication for the web application uses the hosted Cognito sign in / sign up flow and is working fine (with API Gateway setup to use the user pool authenticator).
The second method will be for customers to use the REST API to communicate with the system.
As an example, the client might use the web app to configure a workflow and then use an API to invoke that workflow.
What is the recommended method of authenticating the API for use with backend services?
Traditionally, I'd expect to use an API key + secret token for this purpose. I have no issue creating API keys in the API Gateway interface however I can't see anyway to link that to a specific user, nor can I see any method of specifying a secret token alongside the API key.
And assuming the above is possible, how would I set it up in such a way that I could use the JWT-based approach for the web application and the API key + secret token for customers to use.
EDIT: Additionally, I notice that app clients have an ID and a secret. Are they intended to be used for 3rd API-based-authentication (similar to how other systems make you create an app for API access)? I'm a bit skeptical because there's a limit of 25 per user pool, although it is a soft limit...
I have been searching for an answer to this myself and my searching led me to your question. I will give you my best answer from my research, assuming you want to utilize the well-known key/secret approach. Maybe others can provide a better approach.
Basically, the approach is:
Your REST API accounts are just Cognito users in a (possibly separate) user pool
The management of API accounts is done from the back end
The username and password will be the API key and secret, are administratively created (see the Admin* operations), and can be whatever format you want (within Cognito limits)
The REST API is authorized via Cognito JWT tokens
API account key and secret are only used to retrieve or refresh tokens
This requires the REST API to have a set of endpoints to support token retrieval and refresh using account keys and secrets
Based upon how long you set up the Cognito refresh interval, you can require API accounts to submit their key/secret credentials from very often to almost never
Structuring the authorization of your REST API to use Cognito tokens will allow you to integrate the REST API directly with API Gateway's support for Cognito.
I think the biggest headache of this whole thing is that you will have to create the supporting pieces for, e.g., registered users to request API accounts and for the administration of those accounts, as well as some extra helper REST endpoints for token exchange. Additionally, clients will have to keep track of keys/secrets AND token(s) as well as add client-side logic to know when to supply tokens or credentials.
When i was starting out using API gateway and Congito, i referenced https://github.com/awslabs/aws-serverless-auth-reference-app a lot and found it very helpful in demonstrating the integration between the different AWS components.
If I understand you correctly, you want to create a "long-lived API key + secret" for programmatic access to your API?
I have exactly this need, and am sadly finding that it appears to not be possible. The longest a key can be valid for is 1 hour. You can have a refresh token that's valid for 10 years. https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html
I'm currently looking for an elegant solution to this. I'd be interested to hear if you ever found a solution, or if you rolled your own.
Did anyone ever find a more elegant solution to this problem?
The first answer seems like pushing too much work into the hands of my customers. I don't know the skill level of the developers calling my API, and I wouldn't wish becoming a Cognito developer on anyone lol. More seriously, I don't want them to have to store multiple pieces of information and then have to deal with refreshing tokens.
I might be Ok with giving them a refresh token. Then I could do one of two things:
Give them a refresh method. I'd figure out all the weird Cognito kinks and keep their method to a simple payload of just the refresh token. I'd give them back the access token to use on subsequent calls.
Let them pass me the refresh token as if it was an access token. I would use it on each call to get an access token and then use that to call the interior APIs.

Using the REST API to perform bulk payouts on behalf of our client

I am a long paypal API user and am trying to use the new(er) REST API for my app. I have been pleased with the quality of the docs and API over our existing integration with paypal masspay, but I fear I have misunderstood the use of the REST API.
I have done at least a dozen other OAuth2 integrations with a lot of different services, and every one of them sets up a connection and gives us (the 3rd party app owner) a token, which lets us act on their behalf.
When I discovered the "My Apps" and REST API of paypal, saw it generated a client_id/secret, naturally I assumed I could create an app, and integrate it into my software, so that my clients can 'add' the app (initiating an oauth connection), and then I have a token that I can use to create payouts on their behalf. What led to the confusion, in retrospect, is that I was able to obtain a token, and then make SOME REST API calls (specifically, the identity calls, which give me info about my clients paypal account), but even if I added the following oauth scopes:
https://api.paypal.com/v1/payments/.* https://uri.paypal.com/payments/payouts
I am getting permission denied whenever I try to initiate a payout, or use any API other than the identity calls.
So after further digging, I am coming to the conclusion that the REST API, and the whole 'apps' thing is simply for writing apps for your OWN account (except for identity), NOT for allowing my app to act on behalf of a 3rd party, as has been the case for every other oauth integration I have ever done.
Does this sound correct? Am I missing something that lets me identify what merchant I am acting on behalf of?
I'd really like to move off the masspay API as its very clunky. Please help!

Forcing external apps to use the API

I have a website allowing authenticated users to submit and edit data. I also want to offer a REST API as part of a chargeable service.
Now the problem is that a non-paying user could theoretically use the same calls my website uses as API for authentication and sending data from his external application since it is very easy in the browser to see the endpoint what and how exactly the data is being sent to a website.
How can I protect my website from such usage and force the user to use API for external access?
Actually you cannot prevent people making requests to a public API. You can just validate the user when a request arrives. So there are more than one approach to solve this problem.
I would provide a token per session for each user and validate the rest API request at back-end.
Use OAuth2. So you will give paid user secret id and key then they will ask for the access token to access the API's using secret id and key.
Read about public/private key encryption https://en.wikipedia.org/wiki/Public-key_cryptography
Read about oAuth
https://oauth.net/2/
I have used passport to implement oAuth2 in laravel. passport is oAuth2 implementation and available in other languages also.

Securing API for a Frontend Website

Our APIs (delivered by a third party) are using Tokens in order to ensure authorized access only. Our new website should not be server-to-server but mostly front end, i.e. the token would be visible in the script. We're now checking how to secure the API for a frontend website and I have to propose ways to my boss. However, I've never had to do something with API securing, could you please help me by telling me where to read / state of the art solutions?
I've already begun to look into OAuth1a, OAuth2, OpenID but can't (yet) really get a direction to further investigate.
You should still use a token, but you have to make sure that the token doesn't grant you full access to the API.
Tokens need to be specific to the user who's using the application, and the token can only grant API access to the specific functions that the user is allowed to do.
For now I would ignore OAuth1 and OpenID and only look at OAuth2. There's enough features there to do what you want, and it's simpler than the rest.