-2

I already Googled that, but I didn't found any answer that satisfy me, maybe because it's impossible.

I want to know if I can authenticate a website directly from JavaScript to a Symfony API rest. My goal is to create a script in JavaScript, which make ajax requests to the API (the API accepts cross origin requests) and get some data in the response, but the website(s) needs to authenticate with the API to get this data.

I can certainly use JSON web tokens or OAuth to make the website authenticate as a user, but in this case I need to have some script on the server side of the website and call it from ajax to get the website authenticate and return the token in the response. I don't want to store anything on the website, only put my script tag in the html, to facilitate the installation of the service(it's a widget) for webmasters.

I also know that I can do that with referrer authentication, but I will avoid that, everyone can change referrer in the request headers. I can also put an apikey in the link of the script <script src="mydomain.com/myjs.js?apikey=MY_API_KEY"> but everyone can access the apikey and use it from everywhere.

Is there a way to do that safely?

Improve this question
6
  • Why do you need code? It's jast a question on how I can authenticate a website against a symfony api rest without using server side script on website side Commented Aug 28, 2017 at 14:37
  • Can you please upvote my question? I really don't know why you need code, I don't will start to code if I don't know how to proceed Commented Aug 28, 2017 at 14:41
  • Why have authentication when it is just in a js script then anyone can just take whatever credential you have in the script using browser dev tools? Defeats the purpose. Commented Aug 28, 2017 at 14:58
  • Because I want that only aythorized websites have to get datas from the api, not everyone Commented Aug 28, 2017 at 15:06
  • for now I use referer authentication directly in the symfony listener, but it's cheap Commented Aug 28, 2017 at 15:08

1 Answer 1

Reset to default
0

After some research I think the only solution is what I already done, apikey-referrer authentication:

How to keep API keys secret when using client side Javascript?

How does Google Maps secure their API Key? How to make something similar?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.