Which protocol to use for authentication within a web service?

Question

What protocol should I use to secure a webservice. I'm considering CHAP, but I cann't find much about it in relation to web services. SubAuth and OAuth is more about giving web services acces to something else, so that's not what I'm looking for. I need to authenticate a user without sending it's credentials over the line.

I've read the asnwers to some of the security related questions and found out something about Challenge Response Authentication and Three pass protocol, but nothing was directly related to web services.

Anyone has experience with that?

Help highly appreciated.

Answer 1

Web service? Then, maybe, HTTPS (with either SSL client certificates or HTTP auth) or HTTP Digest authentication?

It depends on security model — whom you want to provide the service (public? corporate network? some site-local stuff?), what do you want to secure and how much do you want to sacrifice performance and usability to security (with heavy load SSL will almost surely eat a lot of CPU time) and so on.

Answer 2

If you can't find anything relating CHAP to web services, then chances are there's no relationship.

Typically, one either uses SSL (HTTPS), or else WS-Security. However, if security actually matters, one typically learns about security in web services first.

Answer 3

OAuth can do an equally good job at addressing the direct access scenario, also known as the 2-legged scenario. So that's the protocol we went for.