How to do authentication within a HTTP service?

views:

335

answers:

+1 Q:

How to do authentication within a HTTP service?

We currently have a website that has user account functionality, but we are looking to provide an API to allow users to manage their accounts/perform actions via other devices/websites, by providing an API for common tasks.

Currently the website login is done via HTTPS for security, and then managed using PHP sessions with suitable security measures to guard against session hijacking etc.

How would we provide this functionality in an API?

How is it possible to submit a login without doing a POST? (As presumably GET is the only way to do this via an API call). Is isuing a URL like: https://www.example.com/login/user-foo@password=bar secure? Does the https setup happen before the URL is sent over the wire?

If I can sort that out then I would have the login return an access token. The first request should include this token, and the response should return a new token, for use on the second request and so on....

Would this work?

The URL is sent like any other header to the web-server. So it's no problem to send it like that. The only problem I can see with it is that it might appear in web-server logs or other logs. So POST might be better to use. The only reason I can see to not use POST is that it might be a little bit harder to use the API.

Allrameest 2009-04-21 10:57:40

Have you thought about using SOAP over SSL? In theory, you should be able to authenticate an user over SOAP.

StackKrish 2009-04-21 12:33:46

+2 A:

Use a standard, such as OAuth? If you allow for that, then your user can keep the authenticated token as long as they wish.

Alternatively, you may not need any authentication at all, if you could redirect to a login when some GET request comes in. For example: any site can link to an URL to add a tweet to Twitter. When not signed in, Twitter will first redirect to the login page. The referring site does not even need to know the Twitter username.

(And yes: HTTPS is established, based on the IP address of the server, before the URL is sent.)

Arjan 2009-04-21 12:36:34

OAuth is for authorisation - not authentication. It might apply to this case aswell, but I don't think that's what Visage is asking.

troelskn 2009-04-21 16:12:55

Well, to get the tokens, one first needs to authenticate. And to allow other websites to access the API (like Visage is asking) without revealing the authentication credentials, I feel OAuth is the way to go.

Arjan 2009-04-21 16:30:14

Reading the question again, I think you may be right about that.

troelskn 2009-04-21 18:58:12

+2 A:

You can use basic www-authentication. It's basically a header, which contains username+password. The good thing about this, is that it's stateless (you don't need a separate login process), and it's very well supported. It's also quite simple to implement. As long as you serve it over https, the security is fine.

Is isuing a URL like: https://www.example.com/login/user-foo@password=bar secure?

It's not good to put the credentials in the URL, since it might end up in a log.

Does the https setup happen before the URL is sent over the wire?

Yes, https is established before the http protocol. The only thing a malicious person would be able to see, is the IP addresses of the endpoints.

troelskn 2009-04-21 16:15:55

...but that would imply that Vinsage's "other websites" in "perform actions via other devices/websites" would need to know the credentials.

Arjan 2009-04-21 16:28:51

@Arjan: If you're asking if the endpoints will both need to know the password, then yes. If that's a problem, you could instead use a certificate for the ssl-connection. Then you don't need any explicit authentication, since https would provide both encryption and authentication. It's a bit more heavy weight to set up - both for the server and the client.

troelskn 2009-04-21 18:56:17

Given your comment at my answer I guess you understand, but just to be sure: with OAuth the user authorizes a (otherwise untrusted) 3rd party to use some service on his/her behalf. The 3rd party will not get to know the user credentials, and the user can choose to grant authorization once, or to revoke authorization at any time. Indeed, it all comes down to whether or not Visage truly wants to grant 3rd parties access to the API.

Arjan 2009-04-21 20:30:35

You can perform authentication in a REST API by requiring a header to be set by the caller. i.e. They set an "X-YourApp-API-Key" header that you then read and use to authenticate. This allows you to authenticate not just POST and GET methods, but PUT, HEAD, and DELETE so you have the full complement of REST methods.

This by itself is fine if all of your calls are via HTTPS. If you want to authenticate over HTTPS and then have subsequent calls via regular HTTP you need to implement something that works like OAuth and issues a token for the in-the-clear requests.

Pax 2009-04-21 21:27:59

I disagree. OAuth or something similar is simply a requirement when allowing 3rd parties to use an API on the user's behalf, for otherwise the 3rd party needs to know the full user's credentials (regardless of using HTTPS or not).

Arjan 2009-04-21 22:17:20

The "X-YourApp-API-Key" is standardised as "Authorization" (Also known as www-authentication). Use it to ensure interoperability.

troelskn 2009-04-21 22:23:06

Right, if the 3rd party is using the API an another end user's behalf, you need OAuth to protect the user credentials. If the 3rd party is just using the API themselves directly then it might not be. It all depends on what your API is for.

Pax 2009-04-21 22:40:11

ansaurus

tags:

views:

answers:

How to do authentication within a HTTP service?

related questions