In designing a REST API for an application, some services are supposed to be public, while other services are preferred to be kept private (i.e not publicly accessible). OAuth is used by the service application.
What are the measures to be taken into account ?
Some ideas in mind:
- Publish private resources under obfuscated URI.
- Require a special access keys. (to be only known by authorized clients).
The most scalable way is designing the URLs such that it is trivial for an intermediary to know which resources are available for everyone and which for specific users only.
Then a proxy or servlet filter or whatever suits your current needs can do the authorization, blocking all unauthorized requests.
The actual service can now blindly trust and service all requests that do reach it.
Separation of concerns and all that.
Example:
Unauthenticated requests can reach:
/myapi/public
Request authenticated with username "joe" can also reach:
/myapi/personal/joe
401 Unauthorised:
/myapi/personal/anything_but_joe
Make sure /myapi/personal/otheruser and /myapi/personal/nonexistentuser return indistinguishable responses.
Any resources which need to be protected and constrained to a particular segment of your audience need to have the appropriate access controls in place (basically what you're talking about in point 2). As a guide, refer to APIs from successful services such as Twitter and you'll always find a token involved.
Obfuscation is never acceptable - this is simply security through obscurity and is fundamentally flawed. Have a good read through part of the OWASP Top 10, failure to restrict URL access. The same rules apply to any resources whether they be RESTful or otherwise.