用户和应用程序的REST API身份验证

Question

I'm developing a BaaS solution that provides developers some REST APIs for their applications. In addition of SSL, I want to secure the REST API authenticating both application (token?) and client (user and password).

I was thinking on Basic Authentication for clients and a token for application authentication, however I can't think on how a simple UUID token, given to the application developer on registration phase, can secure the REST API and authenticate the application.

Also I read about OAuth, however I think it doesn't fit as a solution to the authentication mechanism.

How can I achive this in the right way?

Thanks!

Answer 1

It does seem to be a good (and common) approach to use "basic authentication" for user authentication and then "token authentication" for accessing resources (all over SSL). Basically to support this you do user authentication using "basic authentication" (username/password) over SSL, and based on positive "authentication" the user is given a "bearer token" (or authentication token). The user credentials are normally stored (hashed and salted) in a DB, like the authentication token. Based on the retrieved token the user can access the API resources (also over SSL to grant maximum security of channel). From time to time (or per device) you can change the token.

Not sure which technology you are using to develop your RESTful web service. In Java I have been using Apache Shiro ( http://shiro.apache.org/ ), which allows to support all these activities (basic authentication, token-based authentication, encryption of data (hashing + salting) to store in DB, etc. - take a look on another post I wrote about how to set up this approach in shiro: https://stackoverflow.com/a/17950339/1029673 ).

HTH.

Answer 2

Finally I came up with OAuth 2.0 Resource Owner Password Flow which fits in my security schema.

Thanks!