Clever Geek Handbook

How do I pass an authentication key to a quiet web service?

Some existing web services I use have methods that look something like this:

List<Employee> employees = 
        employeeService.GetEmployees(accessKey, allDepartments);

AccessKey serves two purposes; it acts like authentication and identification. Only valid access codes respond to (authentication) and are served as a reference to specific customer data.

If the services were to be performed in a calm manner, I do not know how this will be achieved. I definitely wouldn't want to do something like this:

http://www.business.com/<GuidHere>/Employees/

Since this will show an accessKey that is somewhat secret (i.e. usually in an encrypted file on the client that uses it), we cannot map the GUID to the URI. How is this achieved with calm architecture?

+1


source to share


4 answers


You can send an authentication token using HTTP headers.



+7


source


If it is a RESTful web service, I am assuming it is being consumed by the machine, so why not pass the access token in the URL?

At the end of the day, you need to put it somewhere and hide it in hidden forms in the browser (if the service is to be viewable) not all that important for security.



If the key is so sensitive, why not symmetrically encrypt on the server per session and pass this value?

Just thoughts.
Kev

+1


source


If timing is not an issue, implementing OAuth security can be helpful. OAuth uses a public key as well as a secret. The mess is hashed (in most cases) and the server will use the public key +, it copies the secret to do the same hashing and make sure its result matches the requests.

The advantage is you don't need to use HTTPS or POST. Get * REST api methods should use the HTTP GET method (I'm not sure if RESTful is your goal, just think I'll point it out). I agree with Mr. Pang, http://www.business.com/employees . The query string can contain a list of department IDs.

In your case, the service call will not have an "accessKey" argument, rather it will become a public key (I think) and will be used in headers, query string or as a POST parameter.

Some good information on OAuth: http://www.hueniverse.com/hueniverse/

+1


source


As Troy Alford pointed out, my initial suggestion was wrong. You shouldn't use POST in such a situation. You must use a GET request with authentication information in the HTTP headers. See Basic Access Authentication for one way to do this.

0


source






More articles:


All Articles