Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Practical examples of authorizing a RESTful service?

There are many excellent questions (and answers) on S.O. around the subject of REST and security. Many say "purists won't like this, but blah blah"... and then others says "you should never do that, because blah blah".

But I have not seen the solution that the "purists" are suggesting for the following scenario. So my question is - what are the "pure RESTful solutions" to the following scenario?

The simple scenario...

Imagine building a database/website that lets a user manage their favorite recipes. The website exposes a RESTful API so that users can query and manipulate their list from a custom program that they want to write (that utilizes this API).

So, user "A" has 3 favorite recipes with the ID's "1", "2" and "3".

User "B" has 2 favorite recipes with the ID's "4" and "5".

We need to make sure that if user A sends a DELETE command to /Recipes/4 that he will get a Forbidden (403) response.

What I would normally do...

What I would normally do is make them first call an authentication method, and send them some sort of auth-token that is valid for 30 minutes or so. Typically this token would be passed via a cookie.

What is the pure solution?

Is the pure REST solution to have them pass it as a variable in the query string? Are cookies the devil? Should the token be used as a segment of the URL (as opposed to a query string parameter)? Is there something else that answers this question clearly?

like image 907
Timothy Khouri Avatar asked Jun 02 '12 02:06

Timothy Khouri


People also ask

How do you provide authentication for RESTful web services?

Use of basic authentication is specified as follows: The string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.

What is REST API explain with example?

For example, a REST API would use a GET request to retrieve a record, a POST request to create one, a PUT request to update a record, and a DELETE request to delete one. All HTTP methods can be used in API calls. A well-designed REST API is similar to a website running in a web browser with built-in HTTP functionality.


2 Answers

Pass the token in the authorization header. That's what it is designed for. See http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-12.html

like image 176
Darrel Miller Avatar answered Nov 15 '22 10:11

Darrel Miller


Treat the auth token as a resource.

You authenticate by GETting an auth token with parameters being credentials (basic auth over https for example).

Logout by DELETE'ing the auth token resource you got when logging in.

like image 44
matb33 Avatar answered Nov 15 '22 10:11

matb33