Best IT Recipes

Authentication of a reliable web service

I have a Restful Web Services API that is used by various third parties. Part of this API is limited (you need a username / password for this). I was wondering what would be the best authentication method?

I use https, so the connection is encrypted. I have two ideas:

  • Before a user starts using the (limited) service, he will send a username / password using POST (since https is used, credentials are encrypted). After a successful login, the server sends back a random one-time value (nonce), which corresponds to this username. When the following request is executed, along with the username, the client sends the previously returned nonce. The servers map the username to nonce and return new nonce along the requested sides. Each new request uses a new nonce. Basically, this is a lightweight version of digest access authentication.
  • Since this API is used by a third-party user, a username / password can be used for each (limited) request. Since https is used, they will be encrypted. The downfall of this approach is that it will not be satisfactory (POST will always be used).

I choose the first approach much closer (it’s easy to respond to requirements, relatively easy to implement, XML, json or html can be used without changing anything), but I wanted to see what is your opinion? What do you recommend: first, second or third approach?

Btw, I am using Python on the server side.

+43
authentication rest web-services restful-authentication
Aug 28 '10 at 20:29
source share
4 answers

One of the ways I saw this in the API (and how I am implementing it now) is to create a RESTful resource called Session created using POST that provides a username and password.

Here is basically how I implemented it:

POST /sessions { Username: "User", Password: "Password" }

Create a time-limited session and return a session resource that contains the session key value and expires. You can also return this as a cookie value for the convenience of implementing API clients.

 DELETE /session/{id}

Terminates the session urgently, so it can no longer be used. This is used for explicit exits.

Then I add the session key through the request parameter, although you can also allow it to be sent via the cookie value, I would recommend allowing both.

I prefer it to be very simple.

Obviously, your script will dictate a little how your sessions should be managed, perhaps they are not time limited and do not work indefinitely, and perhaps they are hashed or encrypted for added security.

If you use HTTPS everywhere, you probably don't need to worry too much. However, if you want to use HTTP, you will need to use something like a hash along with the secret key and say a time stamp to create a secure key for each request. This way you can share the secret key over HTTPS and then switch to HTTP for further calls. Even if someone manages to get the key out of the request, it can expire almost immediately and be useless.

Disclaimer: I'm not a security expert ,-).

+23
Jun 19 '11 at 17:33
source share

There is no reason to not just use HTTP authentication here.

However, the concept of POSTing to get a nonce temporary block may work well. But these are motives as to why you would need to jump over this extra hoop in the first place.

This method was considered when using the bcrypt hash for the original password due to the actual expense of user verification (if you do not know, bcrypt can be configured for a considerable time to execute the hash function). The choice was made to provide the "log in" service once, using a password that will go through the expensive verification process through bcrypt and then receive a blocked token in exchange for future requests that will bypass the bcrypt process.

In the case of the bcrypt process, use HTTP authentication, the service will work with both a regular password and a token. Thus, the user can always use the password for his service, but it just becomes expensive. Therefore, they CAN DO it, they simply DO NOT. The service does not care which authentication method the client uses.

Nonce is offered as an alternative to increasing throughput.

In addition, it is standard HTTP authentication, but with a new scheme.

+8
Jun 19 '11 at 18:13
source share

Amazon web services is good, check the methodology for some ideas. In fact, they force clients to encrypt a special http header using their password.

Here is the link:

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

+6
Aug 28 '10 at 20:33
source share

Assuming that the service is never consumed in the browser, and the connection is encrypted in any case, I see no harm in the variation of the second method: add X-headers to send username / password with each request, for example:

 GET /foo HTTP/1.1 Host: www.bar.com X-MyUsername: foo X-MyPassword: bar

Another idea is to use HTTP Basic Auth and just send Authorization: Basic base64(user:password) -Header. That is, if the connection is always encrypted.

+4
Jun 19 '11 at 17:57
source share


More articles:


All Articles