Restful API authentication recommendation?

Question

I am developing several RESTful API for 3rd party to call, and these API need authentication (apikey & secret based), and authorization (HTTP method & URI based).

Are there any existing software we can reuse that prevent me from rolling out our own implementation for the security layer?

Answer 1

HTTP gives you granted support for that, so you don't need to reinvent the wheel

Either use:

• HTTP Auth Basic (with SSL to bypass plain-text password submit problem)
• HTTP Auth Digest

Auth Digest has advantage, that it does not transmit the passowrd in cleartext and handles replay attacks (with nonces).

We use HTTP Auth Digest (Tomcat servlet container has direct support for it) and we are content with it.

EDIT: Some clients have problems with Digest (not so trivial), so these days I would opt for Basic and SSL. Advantage for Basic is also that you can you preemptive authentication (sending user:pwd in first request).

Answer 2

如果您使用Ruby on Rails（3.2.0或更高版本）构建API，请查看restful_api_authentication gem - https://rubygems.org/gems/restful_api_authentication

Answer 3

Independently of your technology you can implement some system like AWS uses.

• Each registered used must have a userid and a secret access key.
• Each request must be signed with the SAK and must contain the userid. (Take into account time stamp too).
• The server, given the userid, retrieves from DB the SAK and signs again the request, if signature much continue, otherwise return an error.

Implementation is not too difficult but you need to take into account each request to server requires to query the store to retrieve the SAK. One option is to use a NoSQL DB or similar (like Redis or memcache) to store the userid/sak.