Authentication Sceme for RESTful API used by desktop app.

Question

I'm providing a RESTful API. This API is used by a third party desktop application. The API is currently secured using Basic Authentication. That isn't very secure because the credentials have to be stored in the client application. The communication between the desktop app and the API can also easily be intercepted.

The desktop application also communicates with a third party server (run by the publisher of the desktop application)

I am unable to figure out how the secure the API in a good way. Ideas?

Answer 1

You seem to have two separate issues here: (1) credential storage on the client, and (2) communication with the service.

You can address service communication (and prevent the stream interception) by operating your service under SSL. The entire communication stream is encrypted.

Credential storage on the client is outside the bounds of your API -- you can't control what someone does with credentials. If you're also responsible for deploying and maintaing the desktop client that calls your API, there are strategies for retaining credentials on the client (OS dependent.) Otherwise, your safest bet is simple -- don't store the credentials, require the user to supply uid/pwd parameters with each session. Again, it's all dependent on the host OS and client application.