Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
510 views
in Technique[技术] by (71.8m points)

rest - Securing an API: SSL & HTTP Basic Authentication vs Signature

When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of generating another key.

Different APIs seem to do one of two things:

  1. Use HTTP Basic Authentication with SSL

In every request the username is set to the subdomain and the password to the API key. Since we're using SSL then this should be safe from spoofing.

Notable APIs: Google Checkout, Freshbooks, GitHub, Zendesk

  1. Create a Signature of the Request with the Shared Secret

Normally achieved by ordering the key/value pairs and using HMAC-SHA1 with the shared secret to generate the signature. The signature is then sent with the request and verified at the other end.

Notable APIs: Google Checkout, Amazon AWS

PS: thats no mistake, Google Checkout supports both

Edit: Just read that OAuth 2 is dropping signatures in favour of sending a username/password via SSL.

Any opinions from anyone on what to pick: SSL vs Signature?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

HTTP Basic Authentication over SSL is perfectly secure from my research.

After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with.

Therefore passing the username and password without generating a signature is sufficient.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...