Secure API Authentication Using OAuth

Why OAuth?

API Keys are used to authenticate users. While they are a good mechanism for that, adding OAuth in addition to authenticate user requests makes the requests even more secure.

How OAuth Works

Let's start with some terminology:

Client Credentials Grant

MD Cloud API _- Meta defender cloud REST API _Client APP - any application that requires access to our MD Cloud API resources OAuth Tenant - Dedicated Authorization Server for MD Cloud API

Here are the steps (plus a diagram below) that details how the OAuth authentication mechanism works:

1. The Client APP requests an access token from our OAuth Tenant
2. The OAuth Tenant validates the Application Id and Application Secret and generates an Access token
3. The OAuth Tenant sends the token information back to the Client APP
4. The Client APP can make requests to our MD Cloud API using the authorization token
5. The MD Cloud API verifies the JWT token
6. If the token is valid the MD Cloud API can process the request

How to Set Up OAuth in the MetaDefender Cloud UI

Example Code

Below are some code snippets to help you get started using OAuth

Authentication Request

POST https://api.metadefender.com/v4/oauth2/token

Headers:

  - Authorization: Basic BASE64(<CLIENT_ID>:<CLIENT_SECRET>)

• CLIENT_ID: application client id
• CLIENT_SECRET_ : application client secret

Authentication Response

{

  "access_token": string, // a valid access token

  "expires_in": number, // time in seconds,

  "token_type": string, // Set to "Bearer"

}

API Request

https://api.metadefender.com/v4/<endpoint>

Headers:

  - Authorization: Bearer <ACCESS_TOKEN>

API Error Response

Expired token

If you receive an expired token response please submit an authentication request again to receive a new token

{

  "error": {

    "code": 401009,

    "messages": [

        "OAuth token has expired"

    ]

  }

}

Invalid token

{

  "error": {

    "code": 401010,

    "messages": [

        "OAuth token is invalid"

    ]

  }

}

How to Set Up OAuth in the MetaDefender Cloud UI

First log into your account at metadefender.opswat.com and navigate to the security page

On this page you can configure your OAuth clients. Start by clicking "Add API Client" as shown in the screenshot below:

From there, you can then name your first OAuth client. Once you have named your OAuth client, click the "add" button at the right of the text box

Once you have added your OAuth client name, you will be given a client ID as shown below:

You can also click on the text to the right of your client ID to reveal your client secret that you will also need to use OAuth:

You can also remove OAuth clients if necessary by clicking the checkbox to the right of your client information and then clicking the red "Remove" button as shown below: