I am looking into re-architecture some of the APIs my organization is using. I am currently trying to work out the best way for application communication. Some background:
I have 1 Prod server (Symfony 4 ) ) which provides APIs along with 900 customer servers which have these APIs. Likewise, I also have 900 customer servers that provide APIs. I want to work out an authorization and authentication scheme to secure these APIs. OAuth of course comes to mind. Some questions in my head are:
- Do I want to conduct an oauth host? If I host an server on the PROD server that eases this two way communication or would be suffice?
Many of the 900 client sites (unfortunately) do not have ssl. Oauth2 https is needed for utilizing. Is there any way round this? By perhaps encrypting the post body separately? With no ssl on customer server api calls from my own host to client are secure.
In future we’d want to provide the”Login with XYZ” choice, so that our clients can login using the very same credentials across products.Would it require another oauth server? Or can it be accomplished using this oauth flow itself?
Does someone have some thoughts/advice?