26

We have a asp.net MVC web service framework for serving out xml/json for peoples Get requests but are struggling to figure out the best way (fast, easy, trivial for users coding with javascript or OO languages) to authenticate users. It's not that our data is sensitive or anything, we just want users to register so we can have their email address to notify them of changes and track usage.

In our previous attempt we had the username in the URI and would just make sure that username existed and increment db tables with usage. This was super basic but we'd notice people using demo as a username etc so we need it to be a little more sophisticated.

What authentication techniques are available? What do the major players use/do.

asked Jan 12, 2011 at 18:02
2
  • What do you consider a "major player"? Please list a few examples. While you're at it, please include a link to the "major player" API definitions so we can see what they do. Commented Jan 12, 2011 at 18:17
  • i would consider the twitter/facebook/google/flicker the major players. developers.facebook.com apiwiki.twitter.com Commented Jan 12, 2011 at 19:52

4 Answers 4

9

I asked that question on StackOverflow and you can read it here. Also see my answer to my own question. Which is about authentication precisely without having to pass the password for each request, and without SSL or Encryption. Just simple hashing.

answered Jan 12, 2011 at 19:16
5
  • i'm not sure i like your solution. Commented Jan 12, 2011 at 20:38
  • Steve: use Flickr solution Commented Jan 12, 2011 at 20:49
  • is there an open source flicker solution or do I just need to read their api and figure it out? Commented Jan 13, 2011 at 6:02
  • Read their API, it's very simple. Not as secure as my method if you don't have SSL, but very good Commented Jan 13, 2011 at 6:47
  • Your md5 solution just doesn't seem to fit the bill with "trivial for javascript users". I'll have to check out the flickr API some more. I glanced over it but need to study some of the terminology. Mainly what frob's are. Commented Jan 14, 2011 at 6:08
3

This video is an interesting way of using an API key with your WCF/REST service. code.

answered Jan 13, 2011 at 2:45
2
  • this is the same idea as putting the username in the service except they are calling it an api key. Someone can look at the source of the page if javascript and copy the key and use it else where. Would you want to have an api key be linked to a calling domain so that the api key needs to be valid and it needs to come from xyz.com? Commented Jan 13, 2011 at 5:56
  • also is this a duplicate of what @KinGBin suggested? Commented Jan 13, 2011 at 5:57
0

I take it your using visual studio. If your using vs 2010 with 4.0 framework, you could check out the "WCF REST Service With API Key Verification" template in vs 2010.

answered Jan 12, 2011 at 19:40
2
  • 1
    I will have to look into that. I'd like to get away from WCF though personally. Commented Jan 12, 2011 at 20:39
  • This was interesting, but it looks like it just passes the APIKey in the query string. Doesn't that mean that the API key is visible to anyone between the caller and the callee -- even if you use SSL? Commented May 15, 2013 at 19:56
0

I always use HTTP authentication for web services. The authentication itself would be handled by your web server, likely IIS in your case. You would then configure IIS to authenticate against your database, an LDAP store, or similar.

You would then access the username via the property User.Identity.Name

EDIT: JQuery authentication example:

/* I found that providing the username and password both in the
 the arguments and in the url parameter seems to have better compatibility,
 if it works well for you, it is highly advisable to remove the 
 user/pass from the url */
function doLogin (){
 $.ajax({
 username: $('#username').val(),
 password: $('#password').val(),
 url: 'https://'+$('#username').val()+':'+$('#password').val()+'@api.example.com',
 dataType: 'jsonp',
 context: $('#result'),
 success: function(d) { $(this).html(d); $(location).attr('href','https://api.example.com/success'); }
 });
 return false;
}
answered Jan 13, 2011 at 1:07
7
  • how would you do this with a javascript client? Commented Jan 13, 2011 at 5:40
  • client = new XMLHttpRequest(); client.open(method, url, async, user, password); Commented Jan 13, 2011 at 6:06
  • added jquery example to answer Commented Jan 13, 2011 at 6:09
  • 1
    so the username password combination would have to reside in plain text in the source. doesn't seem like a good idea. Commented Jan 14, 2011 at 6:02
  • 1
    ok, so basically you would have to enter your username/password into a login screen to fire off an api request? That solution is terrible. Every user to a public website would have to be registered? Commented Jan 17, 2011 at 0:49

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.