DigestAuthentication with ApiKey

681 views
Skip to first unread message

nawaz

unread,
May 6, 2012, 2:17:09 PM5/6/12
to Tastypie
Hello everyone,

I am new to both Tastypie and Django, so please bear with me.

Following the documentation, I have been able to get a basic API
working with Tastypie. I then wanted to add authentication and chose
DigestAuthentication. However, it was not working and I was constantly
getting the popup box asking for username and password until I
realised that the password is in fact the ApiKey.

My question is that why is the ApiKey used instead of the Django user
password in digest authentication? As I understand with digest
authentication the password is not sent as clear text, so there should
be no harm in using the Django user password unless I am missing
something.

I guess I can change the code or write my own digest authentication
that uses the password. But if I stick to the original
DigestAuthentication, I was wondering that how can I return the
generated ApiKeys to the newly created users?

Thanks for reading.

Mike Urbanski

unread,
May 12, 2012, 3:51:02 AM5/12/12
to django-...@googlegroups.com
On Sunday, May 6, 2012 1:17:09 PM UTC-5, nawaz wrote:

My question is that why is the ApiKey used instead of the Django user
password in digest authentication? As I understand with digest
authentication the password is not sent as clear text, so there should
be no harm in using the Django user password unless I am missing
something.

Django passwords will not work because the "secret code" in digest auth needs to be a shared secret between the client and server.  As Django salts and hashes passwords by default, it has no practical knowledge of a user's password for the purpose of digest auth.  For password based digest auth to work you would have to share your password salt value and hash method with each user so that they can generate the hashed+salted version of their password on the client...  Which is much worse than just using API keys.

The real question is...  Do you need digest auth?

My rule of thumb is:  If the secret needs to be stored in a shared settings file:  Digest (that way the account's admin tools can be protected with a separate user/pass combo), if it needs to be entered by a user:  Basic Auth+SSL+Client Side Password Vault.

Or, you could use a combination of the two:  Use basic auth+SSL to call a login method that returns the user's api key and use digest auth from there.


~Mike
Reply all
Reply to author
Forward
0 new messages