Search This Blog

Saturday, January 23, 2010

Principles for Standardized REST Authentication

"Working with the programming APIs for cloud providers and SaaS vendorshas taught me two things: (i) There are very few truly RESTfulprogramming APIs. (ii) Everyone feels the need to write a customauthentication protocol. I've programmed against more web servicesinterfaces than I can remember. In the last month alone, I've writtento web services APIs for Aria, AWS, enStratus, GoGrid, the RackspaceCloud, VMOps, Xero, and Zendesk. Each one requires a differentauthentication mechanism. Two of them (Aria and AWS) defy all logic andrequire different authentication mechanisms for different parts of theirrespective APIs. Let's end this here and now...
Here's a set of standards that I think should be in place for any RESTauthentication scheme. Here's the summary: (1) All REST API calls musttake place over HTTPS with a certificate signed by a trusted CA. Allclients must validate the certificate before interacting with the server.(2) All REST API calls should occur through dedicated API keys consistingof an identifying component and a shared, private secret. Systems mustallow a given customer to have multiple active API keys and de-activateindividual keys easily. (3) All REST queries must be authenticated bysigning the query parameters sorted in lower-case, alphabetical orderusing the private credential as the signing token. Signing should occurbefore URL encoding the query string...
This is a battle I know I am going to lose. After all, people stillcan't settle on being truly RESTful (just look at the AWS EC2 monstrosityof an API). Authentication is almost certainly a secondary consideration.If you are reading this post and just don't want to listen to mysuggestions, I plead with you to follow someone else's example and notroll your own authentication scheme..."
Dilip Krishnan (Blog 'RESTful API Authentication Schemes') provides asummary and encourages readers to weigh in on the recommendations.

http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.htmlSee also Dilip Krishnan: http://www.infoq.com/news/2010/01/rest-api-authentication-schemes

1 comment:

Anonymous said...

Sorry for my bad english. Thank you so much for your good post. Your post helped me in my college assignment, If you can provide me more details please email me.