I want to restrict access to the controllers / actions that represent my api site. Only registered users who meet certain criteria (paid accounts, not free trial versions) will be able to use api. The website currently supports forms authentication when users register using a username / password combination or using a public identifier.
How could users authenticate using api? Initially, the api will be used by mobile applications (iphone, droid). My main concern is open support for identifiers using mobile applications.
My thoughts on the options available:
- Support for username and password and public identifier. Not sure how well iphone / droid apps can support openid authentication.
- Support only username / password - force OpenId users to create un / pwd for api - Bad UX for OpenId users
- Use api token - this bothers me for two reasons:
- Users will have to manually enter their api key, which sucks in terms of UX
- They can easily share / share their api key with other users, and this can destroy reports / metrics.
- Anything else I missed?
source
share