The best way to implement authentication for a REST API

Question 1

We develop social-based applications for mobile. Every application consumes RESTful API web-services. When I implement login I usually store the username and password somewhere on device. Then I send them and as a response I get access to my profile. But I also know there's another way to do this.

One somehow generates a token with a particular algorithm, and then send it instead of the username and password to gain access.

How should I implement that? Should I send this token along with every other request than login?

Question 2

That's authentication, not authorization. Authentication = prove that you are who you say you are. Authorization = prove that you are allowed to do what you requested.

Question 3

I was just going to add the same comment to the answers! +1 to you @tdammers I have edited all the contents so googling authorization doesn't bring you here

Question 4

There are several way how to implement authentication in RESTful context, and it is more safe to send only tokens instead of login/password: you could easy make tokens to be invalid by timeout or by some other criteria, and ask user to re-authenticate.

For example authentication REST requests using HMAC. In this approach, client will have public and secret keys. To all requests that require authentication, you should add publiс key, and use secret key to calculate hash of your request

var myRequest = "https://myserver/resource?publicId=12345&param=value";
var requestHash = hmac_implementation(myRequest);
myRequest = myRequest + '&hmac=' + requestHash;

Now server could identify request by public key and calculate requestHash itself. If both hashes are equal, then user is authorized.

Btw, you also have to use https to secure communication over a computer network — this will dramaticaly reduce number of possible problems.

Question 5

oAuth is the standard for this but there are more solutions.

Don't try to implement security, tokens etc. all by yourself since that's a difficult and risky topic. Take for example a look here:

https://stackoverflow.com/questions/4574868/securing-my-rest-api-with-oauth-while-still-allowing-authentication-via-third-pa

Akim Akim 1,0098 silver badges16 bronze badges · Accepted Answer · 2013-01-15 13:12:15Z

There are several way how to implement authentication in RESTful context, and it is more safe to send only tokens instead of login/password: you could easy make tokens to be invalid by timeout or by some other criteria, and ask user to re-authenticate.

For example authentication REST requests using HMAC. In this approach, client will have public and secret keys. To all requests that require authentication, you should add publiс key, and use secret key to calculate hash of your request

var myRequest = "https://myserver/resource?publicId=12345&param=value";
var requestHash = hmac_implementation(myRequest);
myRequest = myRequest + '&hmac=' + requestHash;

Now server could identify request by public key and calculate requestHash itself. If both hashes are equal, then user is authorized.

Btw, you also have to use https to secure communication over a computer network — this will dramaticaly reduce number of possible problems.

Stack Exchange Network

The best way to implement authentication for a REST API

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Hot Network Questions

The best way to implement authentication for a REST API

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Related

Hot Network Questions