REST authentication internal project (iPhone to grails app) using 2 legged oauth?

Question

Hi,

I'm creating an iPhone project, and will be communicating with a server via REST. I will be sending push notifications, initiated from another service. I would like to authenticate all communication from the iPhone to my server (e.g., synchronising notifications with the server as the push request is not guaranteed to go through)

2 legged Oauth seems to be the ideal solution, however there is not a lot of information regarding it, especially as most of the libraries seem to be oriented towards consumers and not providers. What library should I use?

Is Oauth overkill? If so what do you recommend? I'm looking for the simplest possible solution at the moment; If it is going to take me more than a week to implement Oauth, it's simply not worth it.

Thanks

Answer 1

2 legged oauth would do the job there.

2 legged is relatively basic, and much easier to implement that 3-legged (no need to track tokens for instance). All 2-legged oauth is doing is generating a signature of the request you are sending based on a shared secret between the client and the server. The server then verifies that the signature is correct. That's pretty much it.

There are probably libraries out there for iPhone that do most of the work for you in signing requests, and there are definitely libraries for most web server langauages for verifying the signature.

At a high level, here's what you'd want to do (from the oauth spec):

• Somehow get a shared secret (password, random generated string etc) onto both the server and the iphone client - this must be done out of bounds, and not as part of the request (ie, hard code it into each component, or put in a config file). That's assuming you're using HMAC-SHA1 for signing, and not RSA-SHA1 - if RSA, share the public key instead.
• Assemble all the request params, URLs, post body etc into a string respecting sorting etc.
• Generate a signature of the request, by calculating the HMAC-SHA1 hash string with the secret.
• Attach the signature to the request
• Send it to the server
• Server receives the request.
• Server calculates the signature using the same algorithm as the client (and the secret)
• If the generated signature on the server matches the one sent from the client, the request is trusted, if not, deny access.

Usually you don't have to implement all that yourself. Most libraries will let you generate the signature and verify it as required for 2-legged oauth.

Answer 2

i wrote a quick writeup on a slightly modified OAuth rest authentication. Hopefully some of the techniques used will help you out.

http://www.flowmessenger.com/blog/2009/11/10/iphone-and-secure-restful-authentication.html

there are hmac-sha1/hmac-md5 libraries available for iphone, i believe amazon sdk has that. for php, there are built in hmac-sha1/hmac-md5 functions. so you just need to create a string with all the request params/urls/body/etc you want to hash, and use the hmac-sha1/hmac-md5 on it, and add the signature as a request parameter, and compare that on the server by recreating the signature.

I talk about some things that you want to consider to prevent abuse of your webservice, like adding timestamp as part of the hash.

I use cakephp framework on my server, but I had to hack together a custom component for the RESTful authentication, but it's not very difficult to do. You will also want to use memcache on the shared secret passphrase lookup, as this will destroy your database under load if your doing lookups in the database for every request(same thing if you store sessions in your database).