API authentication in Iframe

Hi @ all!

We are building a link/iframe that users can use on their website to post information to our CRM via our API. I want them to authenticate with their own API credentials. Im not sure how to fix this because they cant pass their credentials to the iframe. Every user has his own url like iframe.domain.com/{user_id}. Based on the user id i want to authenticate that user but i want to avoid someone else can use that link too and abuse our API. We have API IP whitelisting but i cant use this because the remote IP will be the IP of who is submitting the form and not the server that is hosting the form.

Hope someone can help me out.

lostdreamer_nl

7 years ago

Level 53

so, in your iframe you have the user_id and the referer domain (which you should be able to link to the authorized api)

so you could do something like the following:

have the external website do a request to your api first, passing the userID and their Api Secret
your api will respond with a unique hash and saves this hash with the api_id and user_id into a table (allowed_iframes ?)
the external website now shows an iframe to iframe.domain.com/user_id/{unique_hash}

Your website can now check if user_id and unique_hash belong to eachother, if not: throw an exception.

You wouldnt even need the user_id in the iframe's URL this way, just the unique hash (and make sure to remove the hash from the table after 1 day or so, or perhaps also the next time you get an API call to create an allowed iframe)

Please or to participate in this conversation.