UTD Theses and Dissertations
Permanent URI for this collectionhttps://hdl.handle.net/10735.1/5608
Browse
Browsing UTD Theses and Dissertations by Subject "Access control"
Now showing 1 - 1 of 1
- Results Per Page
- Sort Options
Item Enhancing REST API Access Control Using Multiple Factor Authentication With Refresh Token(December 2023) Melesse, Ahadu; Chung, Lawrence; Karami, Gity; Prakash, RaviRepresentational State Transfer Application Programming Interfaces (RESTful APIs) have emerged as a crucial component in modern web applications, facilitating efficient data exchange between clients and servers and to request data process as well. Securing these APIs is paramount, with a focus on safeguarding endpoints (REST APIs). Despite the impossibility of achieving complete system security, addressing vulnerabilities, particularly in the context of public clients and exchange of access-token and refresh-token, is significant. This thesis explores the utilization of Identity Providers protocol, such as OAuth 2.0 and OpenID Connect, to bolster access control through standardized authentication and authorization methods and guidelines. In the realm of API-driven applications protecting resources and data is not optional. The need for robust security measures has intensified. A notable challenge in RESTful API security lies in authentication and authorization, with refresh-tokens serving as a common means for clients to acquire new access-tokens without user credentials. However, the extended lifespan of refresh-tokens poses a potential security risk if compromised. This research proposes the integration of multi-factor authentication during the use of refresh-tokens, enhancing account security and mitigating the risk of unauthorized access. This approach offers an additional layer of security without the need to revoke access or refresh-tokens. Given the dynamic nature of access management, staying abreast of the latest developments and best practices is crucial for maintaining application security. This thesis provides a concise overview of key considerations and strategies, leveraging OAuth 2.0 and OpenID Connect, along with a refresh-token-based approach using the Duende.Identity Server as a central Identity Provider. By adopting this approach, developers and organizations can fortify the security of their API-driven applications in the face of an ever-evolving threat landscape. The use of Duende.Identity Server, acknowledged even by Microsoft, ensures the implementation of security measures based on a proven protocol that addresses the concern.