Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best authentication method to grant API access to Rails app

I would like to offer authenticated API access to my web app. The consumers of such a service are typically other web sites/services.

What would be the best method of authenticating these users? OAuth, openID, http authentication?

like image 692
cbrulak Avatar asked Jan 12 '11 18:01

cbrulak


1 Answers

As so much in our line of work, the answer to "which is best?" is "it depends." :)

  • HTTP Authentication - If you're already letting clients log in to your service via an ID and password, you'll probably only have to do minimal work to get this to play nicely with your API. If your API is basically mono-purpose and doesn't require detailed permissions, you can get something working fairly quickly here.

  • API Token - If you want clients to be able to authenticate easily without providing a password (think companies that build a service that interacts with your API; maybe the IT dept. doesn't want the dev. team knowing the passwords; etc.), then attaching a random API token à la GitHub to the user account is probably the quickest way to go. As a bonus, you can supply a method for regenerating the API token without having to change the account password.

  • OAuth - If you have multiple permissions or want finer-grained control over how and when a client can access your API, OAuth is a pretty good bet (OAuth2 is much easier to work with, IMO, and supports multiple methods of obtaining an access token). Furthermore, many languages have libraries, gems, etc. that will allow them to simplify the OAuth workflow.

like image 92
Michelle Tilley Avatar answered Oct 23 '22 07:10

Michelle Tilley