On Sunday, May 6, 2012 1:17:09 PM UTC-5, nawaz wrote:
My question is that why is the ApiKey used instead of the Django user
password in digest authentication? As I understand with digest
authentication the password is not sent as clear text, so there should
be no harm in using the Django user password unless I am missing
something.
Django passwords will not work because the "secret code" in digest auth needs to be a shared secret between the client and server. As Django salts and hashes passwords by default, it has no practical knowledge of a user's password for the purpose of digest auth. For password based digest auth to work you would have to share your password salt value and hash method with each user so that they can generate the hashed+salted version of their password on the client... Which is much worse than just using API keys.
The real question is... Do you need digest auth?
My rule of thumb is: If the secret needs to be stored in a shared settings file: Digest (that way the account's admin tools can be protected with a separate user/pass combo), if it needs to be entered by a user: Basic Auth+SSL+Client Side Password Vault.
Or, you could use a combination of the two: Use basic auth+SSL to call a login method that returns the user's api key and use digest auth from there.
~Mike