24

We develop social-based applications for mobile. Every application consumes RESTful API web-services. When I implement login I usually store the username and password somewhere on device. Then I send them and as a response I get access to my profile. But I also know there's another way to do this.

One somehow generates a token with a particular algorithm, and then send it instead of the username and password to gain access.

How should I implement that? Should I send this token along with every other request than login?

asked Jan 15, 2013 at 12:30
2
  • 11
    That's authentication, not authorization. Authentication = prove that you are who you say you are. Authorization = prove that you are allowed to do what you requested. Commented Jan 15, 2013 at 12:47
  • I was just going to add the same comment to the answers! +1 to you @tdammers I have edited all the contents so googling authorization doesn't bring you here Commented Sep 18, 2017 at 13:00

2 Answers 2

15

There are several way how to implement authentication in RESTful context, and it is more safe to send only tokens instead of login/password: you could easy make tokens to be invalid by timeout or by some other criteria, and ask user to re-authenticate.

For example authentication REST requests using HMAC. In this approach, client will have public and secret keys. To all requests that require authentication, you should add publiс key, and use secret key to calculate hash of your request

var myRequest = "https://myserver/resource?publicId=12345&param=value";
var requestHash = hmac_implementation(myRequest);
myRequest = myRequest + '&hmac=' + requestHash;

Now server could identify request by public key and calculate requestHash itself. If both hashes are equal, then user is authorized.

Btw, you also have to use https to secure communication over a computer network — this will dramaticaly reduce number of possible problems.

answered Jan 15, 2013 at 13:12
9

oAuth is the standard for this but there are more solutions.

Don't try to implement security, tokens etc. all by yourself since that's a difficult and risky topic. Take for example a look here:

https://stackoverflow.com/questions/4574868/securing-my-rest-api-with-oauth-while-still-allowing-authentication-via-third-pa

answered Jan 15, 2013 at 12:49

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.