http://robwilkerson.org/2008/06/05/api-authentication-model/feed/ 2008-06-05T20:57:25-04:00 Chyrp tag:robwilkerson.org,2008-06-05:/id/71//comment_157 2008-06-05T20:57:25-04:00 2008-06-05T20:57:25-04:00 Rob Wilkerson http://robwilkerson.org <p>Thanks, Brad. I’ve actually considered oAuth, but as you suggested, I found that it was a little over the top. Or maybe I was looking at it the wrong way. oAuth felt more like an interface-to-application solution rather than a system-to-system solution.</p> <p>I’m not sure that explained it very well, but I can’t think of a better way to phrase it at the moment.</p> tag:robwilkerson.org,2008-06-05:/id/71//comment_155 2008-06-05T20:20:11-04:00 2008-06-05T20:20:11-04:00 Brad Greenlee http://blog.footle.org <p>This may be overkill for your needs, but check out OAuth: http://oauth.net/</p> tag:robwilkerson.org,2008-06-05:/id/71//comment_154 2008-06-05T19:18:09-04:00 2008-06-05T19:18:09-04:00 Rob Wilkerson http://robwilkerson.org <p>That sounds inline with how I would expect my first option to execute, though I’d probably just use a md5 hash of a <span class="caps">UUID</span> (for convenience). </p> <p>Both ways – at least the way I’m conceiving them – have some useful pros and some annoying cons which is why I was hoping that there was some governing body of <span class="caps">API</span> authentication models that could say, “Do it my way because my way is <em>good</em> and doing it any other way is punishable by public flogging.”</p> <p>That kind of authoritative response would relieve me of an awful lot of responsibility for the solution I choose. :-)</p> tag:robwilkerson.org,2008-06-05:/id/71//comment_153 2008-06-05T19:12:37-04:00 2008-06-05T19:12:37-04:00 Matt http://schinckel.net <p>Oh, and for why?</p> <p>Previously we had a system where the client application sent username/password, and then received a series of IDs, which correspond to userID, groupID and companyID. It would be trivial for a client to be hacked to bypass the login sequence, and attempt to access data with just an ID. Which could mean they could access administrator data if they chose the right ID.</p> tag:robwilkerson.org,2008-06-05:/id/71//comment_152 2008-06-05T19:09:52-04:00 2008-06-05T19:09:52-04:00 Matt http://schinckel.net <p>I use a model where the user authenticates with username/password, and is returned a valid sessionID, which they can reuse to access methods until it expires.</p> <p>It uses the login time, username, and IP address with a <span class="caps">SECRET</span> <span class="caps">VALUE</span> to generate an md5 hash which is the sessionID. This means they are non-sequential, and unlikely to be guessed.</p> <p>Session hashes are stored in a database table, which is looked at when a session has is received as part of a non-login request, and the user is selected from this if the has is valid.</p> <p>Oh, and all of this is done over an <span class="caps">SSL</span> connection. It is up to the client application to store the session hash/key/id, and attempt to re-login if an invalid session message is returned on any future request.</p>