tags:

views:

15

answers:

1
+1  Q: 

What is the best way to get passwords for basic auth in a API and why?

Creating a API here and I want people to be able to make simple mobile apps that could get the username/password of my users and of they go to interact with my server. So I need to have a Basic Auth(OAuth and other stuff are also going to be supported, mostly for a different use case). Right now I have a example from a Book saying i could just receive the (unencrypted) password as part of the post and looking at successful APIs I see that twitters gets unencrypted passwords on the headers of their HTTP request.

Another options would be to get md5 or SHA1 hashes, but without a secret salt, this seems like an exercise in futility. I asked a couple of people and everyone had a different(strong and heuristic) point of view, so....

What is the best way to get passwords for basic auth in a API and why?

+1  A: 

Uh, do not give out the passwords of your users to other apps. Or via your API. Or ever. They should be stored 1-way anyway (i.e. hashed).

But I'm not so sure if that is what you are saying. You talk about OAuth (which you can use to generate tokens that let API's access various components of your system, because the user says that it is possible).

For example, say you wish to allow API-users to query a certain users properties (say, their location), then you create a token for this access via OAuth, and the API-caller passes that. At least, this is my understanding of the model. Obviously, you should review OAuths webside, and find an appropriate implementation for your given language.

Noon Silk  2010-03-05 07:19:25
I don't want to give passwords, i want to get credentials so people can for example post new information linked to their accounts. OAuth is useless for a mobile app, because i want third party app creators to be able to ask for a username/password and that's it. With OAuth you need user interaction(to allow the creation of the token) or to somehow receive the password anyway.
DFectuoso  2010-03-05 07:21:51
@DFectuoso Have you read this: http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-ii-protocol-workflow/ it handles the flow you want, and I don't see that the application being mobile-based should make a difference.
Noon Silk  2010-03-05 07:28:20

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication