PHP: creating and consuming REST and authentication

Question

I'm planing to create a few simple REST web services to be used by some other applications (everything internal, not facing Internet). For certain reasons the applications should work with SSO (Windows, NTLM or other). The issue I have is how to do the authentication in the web service.

The application calling the web service has no knowledge of the users password so I'm kind of lost on how to authenticate against REST without having the user to login? eg. avoid Basic Authentication

I would like to avoid login due to simplicity for the user and not having to handle passwords in my applications. What are my options? Am I missing something obvious?

Would this be a solution: create token, pass it to service and store it in database. web service checks if token exists in database. (expiration handling?)

Answer 1

The most common solution to this problem is, as you mentioned, a simple key or token based authentication. This is how a lot of google services (eg maps) work. You simply generate a key on your service provider for each consumer, store it in your database, and validate that all calls pass a valid key.

More sophisticated options would be HMAC or OAuth authentication. Given your situation, ie providing services only within your intranet, I'd say keep it simple and go with a single key authentication.

In the above scenario I don't see the need for handling expiration. Nonetheless, if you'd like to implement it, then you could

• on each client request, generate a timestamp based token on the server
• in your reply to the request, also include this token
• client should use both the static API key and the dynamic token in subsequent requests
• server should check the token's lifetime and accept / refuse the request as necessary.