

Ask HN: What kind of authentication model do you use for your API service? - hussfelt

Ok, so I am building yet another API.<p>This time I wanted to go through some types of authentication implementations to see which one would be simplest for our customers to implement, and which one would be more secure.<p>How do you let your API users authenticate?<p>* Creating "Apps" in your service?<p>* User based Private/Public key?<p>* Username/Password<p>* oAuth?<p>Other ideas?<p>--
EDIT: Updated linebreaks in list.
======
hussfelt
Some resources if anyone is interested to read:

[http://blog.apigee.com/detail/do_you_need_api_keys_api_ident...](http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/)

In short: [http://stackoverflow.com/questions/6767813/api-keys-vs-
http-...](http://stackoverflow.com/questions/6767813/api-keys-vs-http-
authentication-vs-oauth-in-a-restful-api)

~~~
hussfelt
I would love more insights though - from real implementations! :)

------
zelk
I create mobile apps against a REST backend on GAE and I use just basic
authentication over https for authenticating the users. I sha1 the password
and compare against a sha1 value in the database. Simplest there is but maybe
not as secure as other alternatives, but I have not found any big problems
with this. Please tell me if I am missing something vital. Have bought a book
about OAuth but have not opened it yet. :)

~~~
breathesalt
Read: <http://codahale.com/how-to-safely-store-a-password/>

Since you're running on GAE you're likely using either python or java:

Python bcrypt implementation: <http://www.mindrot.org/projects/py-bcrypt/>

Java bcrypt implementation: <http://www.mindrot.org/projects/jBCrypt/>

------
kuasha
Have you considered 2 factor authentication? If you are concerned about
security 2FA can give you more protection- \- Maruf

~~~
hussfelt
Hey kuasha!

That sounds interesting, how would you implement that on an API level in a
good way? I mean, the clients applications will most probably do automatic
transactions all the time.

Are you thinking something like time-based sessions, which you have to
authenticate on both ends - with a PK?

~~~
kuasha
2FA can use smart card- The device with TPM capability may work as a virtual
smart card- This video is interesting-
<http://www.youtube.com/watch?v=QmTpdZAC4_s> -

But Yes, I have to admit, for API, this may be overkill-

~~~
hussfelt
So you would implement like a virtual smart-card in the Client application end
that then communicates with the API in our end and authenticates?

I also think this might be a bit overkill - maybe something for real
enterprise apps... :-)

But it's a cool thought!

Thanks for sharing!

------
nec
oAuth, preferred for it's simplicity.

~~~
hussfelt
I guess you are referring to version 1 of oAuth?

Seems like there is a lot of talk regarding the 2nd generation of oAuth.

Do you have any insight to share regarding that?

