

Securing API calls made on behalf of a user from an untrusted environment - ThePhysicist
http://www.andreas-dewes.de/en/2015/securing-api-calls-made-on-behalf-of-a-user-from-an-untrusted-environment/

======
zaroth
I think this is usually called a ticket-granting-ticket.

The key details are how to authenticate the client to the middleware and
setting expiry and anti-replay on the ticket issued to the client.

~~~
ThePhysicist
Ah fascinating, I'll look that up! I couldn't find anything on the subject but
then again I didn't know what term to search for, and I imagined that somebody
must have come up with this since it's not rocket science. However, I didn't
see this implemented in any API I know, so I thought I share it.

