Skip to Main Content
Status Next
Categories Batch API
Created by Guest
Created on Apr 25, 2023

Add Oauth security to the batch API

It's now possible to authenticate to the Batch API with OAuth. This is great and a big improvement in sending the key as a query string of the URL which is very easy for a bad actor to sniff out and copy.

However, there is no way to enforce that a certain key or institution uses this OAuth and it is simply there to future proof progressive consumers who are OAuth ready.

I've been contacting all of my Batch API consumers asking them to please start to use OAuth and put it in their road maps.

Can iSAMS add a checkbox to enable/disable the use of query string provided API keys so that we can effectively phase out their use as quickly as possible? I will insist on IP filtering for all consumers that do not use OAuth to help cover some of the risk.

  • Guest
    Reply
    |
    May 1, 2024

    SchoolPost have now consolidated to a single IP. Also thank you for marking this as a Next item. All the newer modules and developments are coming out secure by default. Unfortunately, the older bits the opposite and can require a lot of thought and work to secure after the fact. I don't imagine all schools understand all of the risks and mitigations so thank you for sweeping through the old bits to help secure them too.

  • Guest
    Reply
    |
    Apr 29, 2024

    This has become more pressing. SchoolPost have moved to a cloud with shared IP addresses. I can no longer secure the SchoolPost API key by IP effectively and so I can longer securely use SchoolPost Sync. If either iSAMS or SchoolPost took security seriously this could be resolved quite easily.

  • +1