tags:

views:

51

answers:

3
+2  Q: 

Browser-based REST api authentication

I'm working on a REST webservice, and in particular authentication methods for browser-based requests. (using JsonP or Cross-domain XHR requests/XDomainRequest).

I've done some research in OAuth, and also Amazon's AWS. The big drawbacks of both is that I need to do either of the following:

  • Store secret tokens in the browser
  • Let a server-side script handle the signing. Basically I'd first to a request to a server of mine to get a specific pre-signed javascript request, which I'll use to connect to the real REST server.

What are some other options or suggestions?

A: 

Yes, jsonp call-authentication is tough, because the browser-client needs to know the shared secret.

An option would be to make the end-point anonymous (no authentication necessary). This comes with other security wholes (server is open for attacks, anyone can call it). But you could handle this by either only exposing very limited resource and/or using rate-limiting. With rate-limiting only a certain number of calls are allowed by one client in a certain range of time. It works by identifying the client (e.g. by source-ips or other client footprints).

I once experimented with one-time tokens, but they all somewhat failed because you have the problem of getting the token itself and protecting multiple retrievals of the token by bots (which comes again to the need of rate-limiting).

manuel aldana  2010-10-21 16:49:45
What are security wholes?
BigJoe714  2010-10-21 16:58:42
sorry... late evening typing/spelling, this morning would have used the term vulnerability ;)
manuel aldana  2010-10-21 17:24:01
I'm considering going with a limited-time multi request token.. :S
Evert  2010-10-21 19:00:50
when you're finished, would be cool to know your implementation
manuel aldana  2010-10-24 17:12:01
A: 

Well, the only true answer here is proxying through a server, using sessions/cookies to authenticate and of course use SSL. Sorry for answering my own question.

Evert  2010-10-27 21:30:34
A: 

I havent tried this myself but you can try the following..(I am pretty sure i will get some feedback)

On the server side, generate a timestamp. Using HMAC-SHA256 an generate a key for that time stamp using a password and send the generated key and time stamp in the html.

When you make the AJAX call to the web service(assuming it is a different server) send the key and the time stamp along with the request. Check if timestamp is within a 5-15 minutes.. if it is do do the HMAC-SHA256 with the same password and key if the key generated is same. Also on the client side you will have to check if your timestamp is still valid before making the call..

You can generate the key using the following url.. http://buchananweb.co.uk/security01.aspx

ps  2010-10-27 21:44:17

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State