Hacker News new | comments | show | ask | jobs | submit login

What are your thoughts on Amazon like security scheme? As far as there are no third party apps involved, I think OAuth is an overkill.

What I mean by Amazon like securtiy is described in this article http://www.thebuzzmedia.com/designing-a-secure-rest-api-with...




Stormpath's custom scheme is very similar to Amazon's.

But per the blog article, you'd only want to do this if you are willing to support client libraries/sdks that implement it as well. No one wants to spend the time to implement non-standard custom HMAC algorithms.


We tried this with Pagify http://pagify.io And I think supporting client libraries was not an issue, since we had to provide SDK one way or the other.


Totally agree. The key here is that you're doing the work to implement the algorithms, not your customers. If they had to do it, they probably just wouldn't use it.


Thanks for the pointer, I was looking for a sane explanation of the Amazon security and signature algorithm.

I have to disagree with the other comments here regarding the client library. I think that given the precedence of Amazon API, given that people understand how to sign APIs like amazon, this method will be accepted even without a client library.

Being a Java / Scala dev, I prefer that an API provider allow me to select the HTTP client libraries to use and prevent from forcing me to use a specific library & version via SDK transitive dependencies.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: