26

We have a asp.net MVC web service framework for serving out xml/json for peoples Get requests but are struggling to figure out the best way (fast, easy, trivial for users coding with javascript or OO languages) to authenticate users. It's not that our data is sensitive or anything, we just want users to register so we can have their email address to notify them of changes and track usage.

In our previous attempt we had the username in the URI and would just make sure that username existed and increment db tables with usage. This was super basic but we'd notice people using demo as a username etc so we need it to be a little more sophisticated.

What authentication techniques are available? What do the major players use/do.

Steve
  • 411
  • 1
  • 5
  • 10
  • What do you consider a "major player"? Please list a few examples. While you're at it, please include a link to the "major player" API definitions so we can see what they do. – S.Lott Jan 12 '11 at 18:17
  • i would consider the twitter/facebook/google/flicker the major players. http://developers.facebook.com/ http://apiwiki.twitter.com/ – Steve Jan 12 '11 at 19:52

4 Answers4

10

I asked that question on StackOverflow and you can read it here. Also see my answer to my own question. Which is about authentication precisely without having to pass the password for each request, and without SSL or Encryption. Just simple hashing.

Community
  • 1
  • i'm not sure i like your solution. – Steve Jan 12 '11 at 20:38
  • Steve: use Flickr solution –  Jan 12 '11 at 20:49
  • is there an open source flicker solution or do I just need to read their api and figure it out? – Steve Jan 13 '11 at 06:02
  • Read their API, it's very simple. Not as secure as my method if you don't have SSL, but very good –  Jan 13 '11 at 06:47
  • Your md5 solution just doesn't seem to fit the bill with "trivial for javascript users". I'll have to check out the flickr API some more. I glanced over it but need to study some of the terminology. Mainly what frob's are. – Steve Jan 14 '11 at 06:08
3

This video is an interesting way of using an API key with your WCF/REST service. code.

Tangurena
  • 13,294
  • 4
  • 37
  • 65
  • this is the same idea as putting the username in the service except they are calling it an api key. Someone can look at the source of the page if javascript and copy the key and use it else where. Would you want to have an api key be linked to a calling domain so that the api key needs to be valid and it needs to come from xyz.com? – Steve Jan 13 '11 at 05:56
  • also is this a duplicate of what @KinGBin suggested? – Steve Jan 13 '11 at 05:57
0

I take it your using visual studio. If your using vs 2010 with 4.0 framework, you could check out the "WCF REST Service With API Key Verification" template in vs 2010.

KinGBin
  • 1
  • 1
  • 1
    I will have to look into that. I'd like to get away from WCF though personally. – Steve Jan 12 '11 at 20:39
  • This was interesting, but it looks like it just passes the APIKey in the query string. Doesn't that mean that the API key is visible to anyone between the caller and the callee -- even if you use SSL? – JMarsch May 15 '13 at 19:56
0

I always use HTTP authentication for web services. The authentication itself would be handled by your web server, likely IIS in your case. You would then configure IIS to authenticate against your database, an LDAP store, or similar.

You would then access the username via the property User.Identity.Name

EDIT: JQuery authentication example:

/* I found that providing the username and password both in the
   the arguments and in the url parameter seems to have better compatibility,
   if it works well for you, it is highly advisable to remove the 
   user/pass from the url */

function doLogin (){
  $.ajax({
    username: $('#username').val(),
    password: $('#password').val(),
    url: 'https://'+$('#username').val()+':'+$('#password').val()+'@api.example.com',
    dataType: 'jsonp',
    context: $('#result'),
    success: function(d) { $(this).html(d); $(location).attr('href','https://api.example.com/success'); }
    });
    return false;
}
ewindisch
  • 179
  • 1
  • 5
  • how would you do this with a javascript client? – Steve Jan 13 '11 at 05:40
  • client = new XMLHttpRequest(); client.open(method, url, async, user, password); – ewindisch Jan 13 '11 at 06:06
  • added jquery example to answer – ewindisch Jan 13 '11 at 06:09
  • 1
    so the username password combination would have to reside in plain text in the source. doesn't seem like a good idea. – Steve Jan 14 '11 at 06:02
  • This would be for authentication provided by the end-user, this is quite secure. Some APIs such as the Google Maps API simply use a key, which is embedded in the source, and verify this against the HTTP_REFERRER. This is not terribly secure, but secure enough for an application like Google Maps. – ewindisch Jan 14 '11 at 07:52
  • 1
    ok, so basically you would have to enter your username/password into a login screen to fire off an api request? That solution is terrible. Every user to a public website would have to be registered? – Steve Jan 17 '11 at 00:49
  • Steve, it depends on what you're *doing*. Stackexchange, for instance, has users that login. For that, using an API in this way makes sense. Web widgets, on the other hand, do better with API keys and hostname checks. API keys would then have to be embedded into the script. Using the above example with an API key would still work, you could just have the server ignore the password, require that the password matches the username, or similar. – ewindisch Jan 18 '11 at 15:08