Anonymous/API Keys + OIDC
This is just a curiosity/architecture question, not running into a bug or anything!
My setup: BA as IDP/OIDC OP, downstream apps as OIDC RPs.
My use case: API protected by authentication against BA OIDC OP (all requests throw an error unless valid bearer/access token is present from authenticated user). Web app currently locked down to authenticated users, but want to open up some routes so users can fetch data only from the web app (i.e. not from cURL, postman, insomnia)
My question: Does the Anonymous plugin make sense when using OIDC auth flows? Or does it make more sense to use e.g. API keys plugin? Or something else for use case above?
2 Replies
You can probably look into captcha if you really want to make sure the endpoint is hit by front-end. Otherwise the best bet is to check the response headers for session cookies, user agents, referer enforcement, etc
Header check is decent, but spoofable. CAPTCHA is a good idea, i think we are going to roll with just some simple security implementations (e.g. rate limiting), not worry about blocking other clients (e.g. cURL) after all, and see how it goes