tags:

views:

142

answers:

2
+5  Q: 

Is there a standard way to authenticate applications to your web API?

I'm looking at building a simple web app that will expose an API that lets third-party (well, written by me, but that's not the point) apps query for and modify user-specific data stored on the site.

Obviously I don't want to allow apps to be able to get user-specific information without that users consent. I would want some kind of application authentication where users allow an application they run to use the web API to access their information.

Is there a standard way to achieve this or does every app (i.e. rememberthemilk) just hack up a bespoke solution specifically for them?

+7  A: 

Will OAuth work for you? That's the problem it was designed to solve.

Hank Gay  2008-09-25 09:19:11
Looks interesting. Seems to have a fairly active community, at least in Google Groups. Do you know if anyone use it though? RTM seem to use their own thing, as does twitter..? Google supports it (but also has their own thing).. just don't want to build to a 'standard' that noone uses, you know :P
SCdF  2008-09-25 09:38:58
According to ars, "it has had the developmental backing of individuals and employees of companies like Google, AOL, Yahoo, Twitter, Pownce, Six Apart, Blaine Cook (formerly of Twitter, now at Yahoo), and Mark Atwood.". Good enough for me :)
SCdF  2008-09-25 09:40:50
OAuth only covers one component of your API. So unless the rest of your API follows a standard other people implement, it hardly matters if others use OAuth or not.If OAuth works for you, use it. It's got a workable model, it's been well-reviewed, and there are implementations available.
keturn  2008-09-25 17:15:20
+2  A: 

Also be careful to access your web service via HTTPS if the data is traversing the Internet. People take great pains to authenticate their web services, but then leave them vulnerable to network sniffing.

Steve Moyer  2008-09-25 09:23:46
And to a large extent, if you use HTTPS a lot of the machinery in OAuth is unnecessary. But OAuth has been designed to give certain protections to traffic on unencrypted channels.
keturn  2008-09-25 17:43:56

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?