I'm looking to restrict access to controllers/actions that represent my website's api. Only registered users who meet a certain criteria (pay accounts, not free trials) will be able to use the api. The website currently supports forms authentication with users logging in with a username/password combination or via open id.
How would have the users authenticate with the api? The api will initially be used by mobile applications (iphone, droid). My main concern is open id support with mobile apps.
My thoughts on available options are:
- Support both Username/password & open id - Not sure how well iphone/droid apps can support openid authentication.
- Only support Username/password - force OpenId users to create un/pwd for api - Bad UX for OpenId users
- Use an api token - This worries me for two reasons:
- Users would have to manually type in their api key which sucks from a UX point of view
- They could easily distribute/share their api key with other users and that would ruin reports/metrics.
- Something else that I missed?