Jump to content
Larry Ullman's Book Forums

Rest Authentication


Jonathon
 Share

Recommended Posts

As a total newbie to REST and with the intention of using it in a webservice. I was a little unsure about how authentication takes place. Reading around, it should be stateless so not involve cookies and sessions and a lot of places take about using a token. But I wanted to be more clear in that exactly. So I had a couple of questions

 

1) Is it a case that when you create a user via the webapp or an iphone app that you should automatically create an auth_token for this person and store it in your DB?

 

2) Would something like a md5(uniqid(rand(),true)); be suitable for a token?

 

3) From there, how should you use the token with requests?

 

4) Is the token then stored in CoreData or a file on the app and pulled from there?

 

 

Link to comment
Share on other sites

What are your needs here? If this is a read-only (only GET-operations) API, you don't need strict authentication or might not need it at all. Tokens can be used to make sure only those with a valid key can fetch data, you can throttle their calls and build statistics. You could also consider leaving it out completly. If the API is read only, a simple token emailed to users are enough. You can add this token to a GET param or insert into a header in your calls.

 

1. Seems like a good idea. That way you can also retract tokens.

2. Probably. How important is security? The tokens generated should take this into account.

3. You should require users to pass the token upon every request. As you said, there's no state here.

4. Sounds reasonable.

Link to comment
Share on other sites

Yes, I'd use a token that you generate when the user registers and you store the token in the database. This also allows you to roll API keys for users.

 

I would use http://php.net/manual/en/function.openssl-random-pseudo-bytes.phpto generate the token. At Stripe, this is expected to be passed as the "user" value in every request (-u token in cURL). 

 
As for your app, I'm not positive what's the best, most secure storage route. 
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...