Designing a web api: How to authenticate?

Question

I am designing a web api. I need to let the user authenticate themselves. I am a little hesistant to let the user pass in their username/password in cleartext.. something like: api.mysite.com/auth.php?user=x&pass=y

Another option i read about was Base64 encoding the username/password and then sending a HTTP request. So does that mean that on the server side;I would _GET['user'] and _GET['password'] and then somehow decode them?

Is that what twitter does: http://apiwiki.twitter.com/REST+API+Documentation#Authentication ?

Answer 1

Base64 is no protection at all. Use SSL for real security.

Answer 2

As mentioned by truppo, first use SSL.

What many web services do is have an "authenticate" service that returns a token that is then used later, and can be used in plaintext, since it's only valid for a limited amount of time. When it expires, the client simply does another authenticate.

The key benefit of this is that it reduces the number of SSL requests, which lightens the load on the server.

Answer 3

Just this week the IETF published a new draft discussing security properties of the various authentication mechanisms in HTTP. You should find helpful information there.

Personally I'd recommend at least to read about digest authentication and analyze if that's suitable for you.

Using SSL might also be an option. However, it also addresses additional issues at the expense of performance, cachability and others. It keeps the payload data confidential. If this is a requirement, then it's your way to go.

Answer 4

If this is a webservice, you'd better use more secure form of authentication. Look for example, at the LiveJournal protocol: Challenge-Response.