Page 1 of 1

Secure authentication in RESTful web services

Posted: Tue Apr 29, 2008 9:00 am
by inghamn
I'm currently tasked with creating a web service for mailman so our new content manager can maintain users and lists. I'm a big fan of RESTful style services, but I don't see how I can implement secure authentication and still have it be RESTful.

Even with SSL, I'm not a fan of passing some token in the URL. HTTP Basic Auth means Apache would have to handle authentication, instead of me being able to use my fancy PHP authentication code.

Which leads me to putting the tokens (username/password for instance) in the payload, which leads to SOAP or XML-RPC. Now, don't get me wrong, I can implement a SOAP service just fine. It's just that, so far, all my services (which have been read-only) have been nice and RESTful. I'd really like to continue along those lines.

Have any of you guys implemented custom, secure authentication in a REST service. Or does all the security stuff, by it's nature, require a more RPC approach?

Re: Secure authentication in web services

Posted: Tue Apr 29, 2008 11:36 am
by Maugrim_The_Reaper
REST plus Authentication = OAuth. It's an open standard, easy to implement, and is being adopted by Yahoo. I think the adapted PEAR_Request class first implementing it was a few dozen lines longer than normal. By now there should be PHP libraries for it.

Posted: Mon May 12, 2008 5:57 pm
by LSJason
If you're looking to really lock down your service, and there is an assumption that the user is on a dedicated host, you can filter by IP address as the authentication token.

Re: Secure authentication in web services

Posted: Tue May 13, 2008 7:55 am
by inghamn
My concern is more about the style of the service. I'm trying to keep it as simple as possible. So far all my services have been RESTful, but they've also only been read-only and open to the public.

Now, I'm looking at implementing a read-write private service. Which means authentication, even on the GET. I have a personal hang-up, though, with sending any form of authentication tokens in the GET. It just seems bad form, they should be POST. And as soon as I require all requests to the service to be POST, and to require auth tokens in the request, it doesnt' feel RESTful anymore.

Maybe I should just embrace it and accept that it has to be an RPC style service and be done with it. Am I missing something?

Re:

Posted: Tue May 13, 2008 10:01 pm
by Chris Corbyn
LSJason wrote:If you're looking to really lock down your service, and there is an assumption that the user is on a dedicated host, you can filter by IP address as the authentication token.
8O

Re: Secure authentication in RESTful web services

Posted: Thu May 22, 2008 8:56 am
by choppsta
I would just use some custom http headers that you can check for. That way it won't pollute your URLs.

Re: Secure authentication in RESTful web services

Posted: Fri May 23, 2008 2:41 am
by Maugrim_The_Reaper
Headers can be forged.

Just to reiterate, a RESTful service with authentication is not only possible, but overwhelmingly common. The industry has been spending a great deal of time making the move to the OAuth open standard since it reflects good practice. Even Yahoo have started to adopt it. There is no reason for an open standard, with open source libraries, using a commonly understood authentication mechanism for REST, to somehow look so complication you need to go back in time to XML-RPC...

Re: Secure authentication in RESTful web services

Posted: Fri May 23, 2008 4:49 am
by choppsta
Perhaps I was unclear in what I meant by using http headers.

A good example is the Amazon S3 API:
http://docs.amazonwebservices.com/AmazonS3/2006-03-01/

in particular:
http://docs.amazonwebservices.com/Amazo ... ation.html

As you can see, all authentication happens using a specially crafted Authorization header, thus keeping the URLs clean. This, I believe, is what you are trying to achieve.

Re: Secure authentication in RESTful web services

Posted: Fri May 23, 2008 8:23 am
by Jenk
Out of curiosity, why not SSL?

Re: Secure authentication in RESTful web services

Posted: Mon May 26, 2008 3:08 am
by Maugrim_The_Reaper
It keeps the URLs clean I agree - but it's just as visible. Seems like odd to shift request data around just so something looks pretty ;).

My apologies though, your one-liner sounded like you were suggesting to use a plain header without a secure scheme. I see that was not the intent now.