tags:

views:

145

answers:

1
+2  Q: 

What's the best way to handle API authentication for users (especially for mobile devices)

We're looking to create an API for our website. One of the major usages for the API (I suspect) will be to allow people to create mobile apps (for the iPhone and hopefully other devices).

What's the best way to handle API authentication for users. As a general rule, I don't like encouraging our users to hand their username/email/password details over to a 3rd party. However, is using oAuth acceptable/mature enough to work with for mobile devices? The only people using oAuth for mobile apps appear to have been Pownce, which seems to have had user issues and in any case is no longer around for me to see how they have dealt with the problem.

(Our user base is very untechnical, so I would expect <1% to have ever dealt with oAuth before)

The choice seems to be:

  1. Ignore the issue with 3rd parties and passwords
  2. Force developers to implement oAuth integration
  3. Try something user unfriendly (such as using a secret key rather than their password)

Am I missing something?

A: 

I dont think I completely understand your question, what do you mean by "handle API authentication for user" ? Do you want to make users authenticate themselves before using your API? Or something else?

One thought though, and this is true I think for any mobile platform. If you have an API that will work through a browser, then any mobile app, on first launch after download should be able to launch a browser (all mobile platforms allow this) and do any type of one time authentication.

Hope this helps, further clarifications on your question will help me give a better answer.

omermuhammed  2010-02-27 17:22:11
Sorry, what I mean is: what's the best way to get users to authenticate themselves to our web application, when using an API. e.g. so an example would be, a third-party writes an iPhone app that uses our API. When a user uses the iPhone app, they need someone to connect the app with their account on our website via the API. I don't want our users to just hand their passwords and account details over to the third-party (who may store them insecurely, or harvest them etc). So what are the options? Do mobile developers mind using oAuth instead? Are there alternatives etc.
Apemantus  2010-03-01 13:51:52
One option would be to create a library that third party uses to package in, into the app. This library connects to the website and authenticates the user. That way the third party doesnt need to be involved at all. This library can be in executable format (static lib maybe?). The third party never knows the details of it, they just use it. This mechanism is quite common in mobile field, music DRM companies like Groove provide it for DRM encryption to third parties.
omermuhammed  2010-03-01 16:29:41

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication