When an API requires that a client authenticates to it, i’ve seen two different scenarios used and I am wondering which case I should use for my situation.
Example 1. An API is offered by a company to allow third parties to authenticate with a token and secret using HTTP Basic.
Example 2. An API accepts a username and password via HTTP Basic to authenticate an end user. Generally they get a token back for future requests.
My Setup: I will have an JSON API that I use as my backend for a mobile and web app. It seems like good practice for both the mobile and web app to send along a token and secret so only these two apps can access the API blocking any other third party.
But the mobile and web app allow users to login and submit posts, view their data, etc. So I would want them to login via HTTP Basic as well on each request.
Do I somehow use a combination of both these methods or only send the end user credentials (username and token) on each request? If I only send the end user credentials, do I store them in a cookie on the client?
4
HTTP basic authentication requires the username and password to be sent with every resource request. The username:password is passed in the “Authorization” request header base64 encoded string prefixed with “Basic “. If all of your http communication is encrypted (via ssl) the Authorization header’s information shouldn’t be able to be easily used by attackers since it’s unlikely that they’ll be able to get a hold of it.
SSL encrypted http with basic authentication should be enough.
1
Can OAuth / OpenID work, along with token / secret?
I recently contemplated the following scenario:
- Web Application Front End
- Underlying REST API
- Mobile Device Applications, accessing REST API
As a simple test, I was able to:
- Authenticate users via the Web Application using OAuth
- The REST API authorized via OAuth, resulting in a secret being generated and passed back to the client
- The Mobile Device would then authenticate via OAuth, and then be authorized by the REST API via the secret
This would allow the Mobile Device Application to authenticate with the same credentials as via the Web Front End (the same account) and also be able to authorize access to the API.
2