All geek questions in one place

Creating a RESTFul API how to do authentication

I am creating a RESTFul API and wondering what is the best way to do auth? Users need to authenticate. I know three ways:

1.) Pass the API API in each RESTFul request:

http://api.mydomain.com/api-key-here/get-users

This is good because developers can immediately start using the API by simply copying the URL string into the browser. Are there any potential security risks?

2.) Each request passes the API key to the request header.

This seems more secure, but developers cannot make requests through their browser. CURL required.

3.) oAuth

I have to admit that I know little about this, but it seems very popular. My concern is that using the API has become its barrier to developers. First, they should be familiar with oAuth and configure it.

Thoughts? Thank you very much.

+4
source share
2 answers

If your concern burdens developers with the high cost of input, I suggest basic auth, but you use your API via https.

I do this with Diligent Street and it works very well. I use an API key and associate it with Secret as a combination of username and password for basic auth.

+2
source

I used the technique found here: Build a RESTful API . This solution uses the MD5 hash of your API identifier , the API secret and UNIX timestamps and is passed in the HTTP header. This authentication method is the same as Masherys Authentication .

This link is referenced and contains a complete launch block for creating an API that has Auth , Membership and * Measure API usage * along with a supporting EF database.

Regarding service testing , you can use RESTClient to make HTTP calls with custom headers instead of using Curl.

0
source

Source: https://habr.com/ru/post/1336416/

More articles:


All Articles