Thoughts on authentication #25
Comments
|
+1 — On Wed, Jun 18, 2014 at 3:41 AM, Rudolph Froger [email protected]
|
|
Oops, obviously this is too tightly coupled to the Heroku case. I'll try to expand on it in the near future for you. Thanks for pointing this out as something that needs attention. |
|
👍 as well. I really like the |
|
In our case we have a couple ways it can be done. One is out-of-band (either from the website or via tools) and the other is via the API itself. In the API case we have a special login endpoint that you can call using your username and password (and you get a token back in return). Hopefully that clarifies at least a bit. The dashboard specific part here is certainly overly specific, but I'm not sure how best to generalize. Maybe if we just changed it from |
|
Sounds good — those are the cases I've encountered as well. As for passing tokens, I've seen a few ways people tend to do it so far, and I'm not sure what's the best approach. It'd be nice to have guidelines on them.
|
|
I lean somewhat towards basic auth for ease of use, as pretty much everything supports it. Plus you can technically pass it either with the host as above or in the headers if you really prefer. It also seems likely to do a good job of supporting both programatic and browser-based access (where other things may not do so as well). What do you think? |
|
I'm all for basic auth — it's just what feels right. I don't know how to properly implement it though. Is it simply passing the token in the Authorization header, eg, |
|
@rstacruz sure. It depends. There are a couple ways you can use it (at least with most libraries/frameworks). The first is simply embedding it in the url, so stuff like |
|
Basic authentication is certainly the easiest but has the disadvantage of transferring the API key with every request. One might also consider other approaches like authenticate with the API key once per 'session' and then use a returned session id for subsequent requests (similar to how authentication for 'normal' users with web browsers works). Another approach might be to use TOTP/HOTP/OCRA based authentication (the three OATH standards) so the API key is never included in the API requests. TLS client certificate authentication could also be an option. This has the advantage that many HTTP client libraries already have support for client certificates. When implementing something like session IDs or one of the OATH standards, one might want to supply a small 'curl' wrapper script to make it easier for developers to play with the API. Providing small implementation examples in various programming languages also helps the inexperienced developer. |
|
@rudolphfroger those are definitely interesting options. I guess I haven't seen a lot of reason to prefer those somewhat more complicated options over basic auth. The exception is for cases like OTP where you want to provide a time-limited token. I think you can still pass that token around via basic though, for simplicity. Are there cases I'm not thinking about where more session based usage would be important? Beyond the insecurity of passing the token around each time, are there other concerns? |
|
Security is my main concern with regards to authentication of API's. API's are made to easily retrieve large amounts of data and/or execute many powerful actions, most of the time much easier than via the web interface. |
I'm missing a paragraph on how authentication should be done. The paragraph on "Provide executable examples" mentions using a token with the comment "acquire from dashboard".
Thanks!
The text was updated successfully, but these errors were encountered: