1

I'm planing to create a few simple REST web services to be used by some other applications (everything internal, not facing Internet). For certain reasons the applications should work with SSO (Windows, NTLM or other). The issue I have is how to do the authentication in the web service.

The application calling the web service has no knowledge of the users password so I'm kind of lost on how to authenticate against REST without having the user to login? eg. avoid Basic Authentication

I would like to avoid login due to simplicity for the user and not having to handle passwords in my applications. What are my options? Am I missing something obvious?

Would this be a solution: create token, pass it to service and store it in database. web service checks if token exists in database. (expiration handling?)

Improve this question

1 Answer 1

Reset to default
1

The most common solution to this problem is, as you mentioned, a simple key or token based authentication. This is how a lot of google services (e.g maps) work. You simply generate a key on your service provider for each consumer, store it in your database, and validate that all calls pass a valid key.

More sophisticated options would be HMAC or OAuth authentication. Given your situation, i.e. providing services only within your intranet, I'd say keep it simple and go with a single key authentication.

In the above scenario I don't see the need for handling expiration. Nonetheless, if you'd like to implement it, then you could

  • on each client request, generate a timestamp based token on the server
  • in your reply to the request, also include this token
  • client should use both the static API key and the dynamic token in subsequent requests
  • server should check the token's lifetime and accept / refuse the request as necessary.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

HMAC sounds interesting. So I could send the username as message (and in plain text) and check authorization of that plain text username as example with LDAP and since the key is secret it is guaranteed that the username is not "spoofed". eg. create same HMAC in web service and compare against the received one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.