We have a .NET web service API. Currently, people use the SOAP definition to consume the API, because we require authentication through a custom Authentication element in the SOAP header. Works perfectly. fine.
SOAP requires the request to be a POST. We want to allow the users to use a the GET verb (so it can be cacheable).
So, what's the best way to offer a simple GET API (doesn't have to be a webservice!) that also offers authentication?
example API route:
http://www.blah.com/api/Search?query=Foo
Is this an acceptable and common practice?
http://www.blah.com/api/Search?query=Foo&Key=<some guid>
NOTE: I also don't want to implement SSL nor install extra software or plugins in IIS, etc. etc.
OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications.
Implement the Web Service Access Key Then use the account's credentials, which include the user name and access key, in a web service application. For example, if you develop your own web service application, then you can design your application to programmatically pass the credentials to the web service.
Biometric Authentication Methods Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today.
Digest authentication is an authentication mechanism in which a Web application authenticates itself to a web service by sending the server a digest, which is a cryptographic hash of the password, nonce, and timestamp.
If the web service needs to be secured, and I'm assuming that it does since you currently have an Authentication header, then you should reconsider using GET and not using SSL, at least for the authentication piece. At a minimum I would POST the authorization request via SSL to the web service/application. If you don't want to provide authentication on every request, then you will need to accept back (and generate in the service) an authorization cookie that the consumer can use for subsequent requests.
I would avoid using authentication in the URL for exactly the reason that you want to support GET -- if the URL can be cached, then the credentials will be cached as well. This breaks the security of the web service since anyone can reuse the cached credentials.
If your clients are on the same domain, you can turn on Integrated Windows authentication in your IIS application. Your application will now accept Windows authenticated users, only. Add your own RoleProvider for finer, role based granularity.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With