Authentication model choosing

[Vasiliy Sivovolov]

Hello,

I need help choosing authentication model.

I have a resource, let's say “/items" which has some attributes, like this:

[{
 “id”:”1234”,
 “secretInfo1”:”value1”,
 “secretInfo2”:”value2”
 “price”:”1000"
}]

Case 1 Api user is anonymous user. Api user can do some operations on this resource, if he know attributes: id, secretInfo1, secretInfo2.

Case 2 Api user has account, login and password. Api user can do some operations on this resource, if he was authenticated and authorized to access this resource.

Because of specific requirements I can't send login/password or secret attributes in each request. For now, I see only session based authentication model for it, but it's not stateless and not recommended for REST API.
Oauth1/2 looks like overkill for it.

Could you please recommend me authentication model.

Thanks in advance.

[Jørn Wildt]

I don't get your example cases - they seem some what odd, but I will assume you have a resource that generally needs some kind of authentication mechanism to protect parts of it.

For this I don't think OAuth2 is overkill - its apparently a common misconception that OAuth has to be complex, but it *can* be as simple as classic web page session authentication - as long as you don't need to access third party resources on behalf of someone.

Take a look at this blog post where I have tried to argue in favor of OAuth2 and against all sorts of proprietary authentication schemes: http://soabits.blogspot.dk/2014/02/api-authentication-considerations-and.html

/Jørn

--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at http://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

[Dmitry Pavlov]

>Case 1 Api user is anonymous user. Api user can do some operations on this resource, if he know attributes: id, secretInfo1, secretInfo2.

seems like security by obscurity

Agree with Jørn, if you need to perform access control you should better use some standard, without inventing the wheel.

--
С уважением,
Дмитрий Павлов

[sune jakobsson]

Stick to a standard, "security by obscurity" is crap :)

Sune

[Irakli Nadareishvili]

+1

You shouldn't conflate authentication with API functionality. Keep the two separate. Seems like you are also shoe-horning resource-oriented authorization in that mix. That thing will turn into a monster in no time.

OAuth2 is not an "overkill". OAuth2 is a standard framework for implementing authentication that works for you. You can do basic things pretty quickly and easily. Usually a better idea than inventing a proprietary solution.

[René van den Berg]

While I do not particularly disagree with what's being said in the other comments, "security by obscurity" is a somewhat overused term - there is a "secret" involved in most every security scheme, and if you know that secret, the security scheme is bust.

Security by Obscurity, in my opinion, applies to schemes like "other people cannot find this resource because its URI is so long" or "other people do not know how my authentication scheme works so I'm safe" - it is not equivalent to an extremely generic "I have a secret that no one knows about" because that would apply to, oh I don't know, SSL, any password-based scheme, any token-based scheme....

Just my $0.02.

Regards,
Rene