Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RESTful API Authentication

I have found quite a few questions on this topic on SO, but couldn't find any answering this question:

Should I validate users with their username and password, or with an API key? And what are the pros and cons of each method.

I ask this because in my API, there are a couple of methods I'd like to lock down and verify that the user has access to some document or action. I'm a bit reluctant to authenticate by having the user send an HTTP AUTH header with their username and password because it feels unsecured and a bit more of a hassle for the user. On the other hand, though, if I use an API key, what's the point of the user ever creating a password? As they will no longer be using it to access features of the API.

UPDATE

If other readers of this are curious what I ended up using, I decided to copy how Amazon does their validation (good explanation here: https://www.ida.liu.se/~TDP024/labs/hmacarticle.pdf)

like image 420
Obto Avatar asked Sep 30 '11 06:09

Obto


People also ask

What is REST API authentication?

REST APIs support the following methods for authenticating user requests: Token-based authentication. This method lets you obtain the authentication token for a session, and pass the token for subsequent API requests.

How do I authenticate a restful web service?

Use of basic authentication is specified as follows: The string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.


1 Answers

you can use HTTP Authentication over SSL and that's secure enough. However it makes consumption of API a bit difficult as it requires the client library to support SSL. SSL can affect the performance too if you're expecting too many calls simultaneously.

API key option is just as insecure as HTTP Authentication without SSL. If you're not concerned with security then API Key is the easiest for consumers of the API.

like image 90
Muhammad Hasan Khan Avatar answered Oct 17 '22 23:10

Muhammad Hasan Khan