tags:

views:

214

answers:

3
+3  Q: 

Good approach for a web API token scheme?

Hey folks,

I am working on a REST API for a web application that up until now we have developed internally for a couple of companion applications. Now that we are looking at opening up to outside developers we want to add tokens to the API in order to help identify who is making requests and in general to help manage it's use. At this point we are using https and basic authentication for user authentication on the API.

The token scheme we've been discussing would be very simple where each developer would be assigned 1 or more tokens and these tokens would be passed as a parameter with each request.

My question is if you've done something similar before how did you do it (did you do more or less, how did you handle security, etc) and do you have any recommendations?

Thanks!

+3  A: 

First, you might want look at http://OAuth.net. Depending on your usecases, it might provide the security you need.

As to the token, it's a BLOB to most protocols, including OAuth. You can put any information you need in it in any format.

Here is what we do,

  1. First we assign each developer a key with associated secret.
  2. The token itself is an encrypted name-value pairs. We put things like username, expiry, session id, roles etc in there. It's encrypted with our own secret so no one else can make it.
  3. For easy of use with web API, we use the URL-safe version of Base64 so the token is always URL-safe.

Hope that helps!

ZZ Coder  2009-08-10 20:48:20
+1  A: 

You might also want to think about maybe adding a time based token that would allow you to limit the amount of time a request is valid. this will help with someone trying to do a replay attack.

You would have a handshake call to get/assign a time valid token based off the above developerKey. This token would be stored locally and passed back to the caller.

The developer would then use this key in a request to validate the request and the developer.

For example that key can then be used for 5 mins or for 10 requests or whatever you define. after that point the generated time based token is removed from the valid list and can no longer be used. the developer will then have to ask for a new token.

YetAnotherDeveloper  2009-08-10 21:25:17
A: 

UUID is very good for any temporary random key you fancy dishing out. Unpredictable and fast to generate, with collisions so unlikely they are effectively unique. Make nice session keys also.

 2009-08-10 21:48:29

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?