REST API - advice

Two-legged oauth is one option. You won't actually find that term in the oauth specification; however, if you are just wanting API authentication then all you need is the message signing parts of oauth. Using it this way has become colloquially referred to as two-legged oauth.

There is some sample code from the oauth group here (it is a subversion repository that has anonymous read on):

http://oauth.googlecode.com/svn/code/java/

Specifically for the message validation take a look at the validateMessage() method in the SimpleOAuthValidator class.

http://oauth.googlecode.com/svn/code/java/jmeter/core/commons/src/main/java/net/oauth/SimpleOAuthValidator.java

Basically how it works is you give a private key (consumer secret in oauth speak) to the person (different for each user) using your api. They hash the calls to your API with their secret key, then when you get the request you do the same hashing algorithm (since you have the private key too) and if they match you now that person is authenticates. A username is also passed in the request (consumer key in oauth speak), if they authenticate then you can authorize with that username (and of course you need that username to look up their private key). The only time the private key is sent over the wire is during the initial key exchange (use SSL website to generate and transfer).

OAuth has a very strict way of generating the hash that is the message signature (Section 3 of the RFC http://tools.ietf.org/html/rfc5849#section-3). The sample code I link to above has an implementation of it. As far as user's making requests to your API there are plenty of libraries out there that can generate good oauth requests (i.e. with the strict hash generation in section 3) in a variety of languages (see http://oauth.net/code/). Signpost can generate oauth requests if your API users will be using Java: http://code.google.com/p/oauth-signpost/

The only thing that would then be up to you is generation of the private keys. You can hit google for some ideas. One way if you run on a unix platform you can get read random bytes from /dev/random then hash them. (how many bytes you read will determine how secure your keys are).

I read that article. Still I don't know how to provide the secret key to an application downloaded from appstore or any other mobile store.

On Thu, Aug 2, 2012 at 8:35 PM, Parmeley, Michael <[hidden email]> wrote:

Here is another good writeup. He ends up describing two-legged oauth:

http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

On Aug 2, 2012, at 11:46 AM, Mihai Cazacu <[hidden email]> wrote:

> Hi,
>
> I'm trying to decouple my applications using this schema:
>
> [db1] \                 / [android]
> [db2]  - [rest api] -  [iphone]
> [dbN] /                \ [web]
>
> and I don't know how to implement authentication/authorization for REST requests. What do you recommend:
> basic auth + SSL, oauth1, oauth2, SSL only for login and the rest of the requests using an accessToken?
>
> Eventually, do you know some useful links?
>
> Thanks,
> Mihai
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

--
Mihai Cazacu
Software Engineer
E-mail: [hidden email]
Mobile: <a href="tel:%2B40%20745%20254%20657" value="+40745254657" target="_blank">+40 745 254 657
Skype: cazacugmihai

Twitter: cazacugmihai

On 2 Aug 2012, at 17:46, Mihai Cazacu <[hidden email]> wrote:

> Hi,
>
> I'm trying to decouple my applications using this schema:
>
> [db1] \                 / [android]
> [db2]  - [rest api] -  [iphone]
> [dbN] /                \ [web]
>
> and I don't know how to implement authentication/authorization for REST requests. What do you recommend:
> basic auth + SSL, oauth1, oauth2, SSL only for login and the rest of the requests using an accessToken?
>
> Eventually, do you know some useful links?

I'm currently still a fan of conventional HTTP Basic auth using disposable API Keys. Preferably over SSL where that is important.

Remember however that SSL is not for encryption, it is for trust.

Marc

~ ~ ~
Marc Palmer
Freelancer (Grails/Groovy/Java/UX)

I offer commercial support for Grails plugins from as low as $50/mo.
For details see: http://grailsrocks.com

Blog: http://www.anyware.co.uk | Resumé: http://www.anyware.co.uk/marc
Contributor @ http://grails.org |  Founder @ http://noticelocal.com
Developer @ http://weceem.org | Member @ http://spottymushroom.com
Twitter: http://twitter.com/wangjammer5


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

On 3 Aug 2012, at 10:25, Mihai Cazacu <[hidden email]> wrote:

> 1. What do you mean with "Basic auth with tokens instead of passwords" (let's say for a mobile app downloaded from appstore)?
>

You have REST API calls for:

1) registration
2) login

Depending on your auth policy (is email confirmation required etc) you take encoded passwords as payload on those two calls and store them in the server, and the responses typically would include an API key that is used as HTTP Basic auth on all future REST requests.

The API key can be stored in the client until such a time that the credentials are rejected by the server (i.e. after a password reset or key regen due to compromise), so future login calls are not needed unless the user re-installs the app or provisions a new device.

> 2. You say that the password will be hashed and salted on the client? I though that this action happens on the server side.

There's no reason to send the actual password over the wire. Even under SSL is it an unnecessary security risk. The server does not need to know anything about real passwords, just a hash value to compare to.

Marc

~ ~ ~
Marc Palmer
Freelancer (Grails/Groovy/Java/UX)

I offer commercial support for Grails plugins from as low as $50/mo.
For details see: http://grailsrocks.com

Blog: http://www.anyware.co.uk | Resumé: http://www.anyware.co.uk/marc
Contributor @ http://grails.org |  Founder @ http://noticelocal.com
Developer @ http://weceem.org | Member @ http://spottymushroom.com
Twitter: http://twitter.com/wangjammer5


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email