I know what is reverse proxy and how it works. I just want to know what if the hacker tries to get access token from our client application and get access to our reverse proxy server directly. What’s the benefit of using a reverse proxy in this case?
I tried searching on the internet for the answer but all of them mention what is reverse proxy and what are its benefit
I want to know about the above question.
Original article here
>Solution :
In short: your third party API keys wont be compromised.
Note:
As I read correctly the article is about not embedding third party API keys into your mobile applications directly. Instead you can use a reverse proxy to protect those keys (only the proxy knows them, the app has its own secret – but is used to authorize on the proxy). But in my interpretation reverse proxy is not for that (but it can be used for this too..).
Instead I would create my own API where the user has to login with his unique credential (and that way he gets a custom access token, nothing is embedded in the app code).
Think of this "reverse proxy" as your custom API (API gateway – acts as a reverse proxy to accept all application programming interface (API) calls, aggregate the various services required to fulfill them, and return the appropriate result) hiding everything (and because you have control over your own API, you can implement for example user login etc.)
The access token has a short lifetime (it can be only a few minutes) and in that way the attacker has only a limited window to access the API (if malicious activity is detected, then the user can re-login and get a new access token for example).