I'm writing a simple iphone application that brings a particular website experience onto the rich world of the iphone.
The website currently doesn't talk to any clients other than browsers, so it doesn't have an API.
I'm trying to design an API for consumption by my iphone app as well as other rich clients.
With REST and Xml/Json formats I have the wire formats and protocol, but I'm unsure about how to handle authentication.
The vast majority of resources are publically accessible, perfect for HTTP. But for protected resources, my first thought was to include the username/password inside each HTTPS request, which the server should verify each time.
My question is, are there any established patterns for web server to rich client authentication?
I can imagine OAuth being a good solution, but it seems a bit heavy handed.
Are there any other solutions and patterns?
Any response is greatly appreciated