Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
503 views
in Technique[技术] by (71.8m points)

rest - Securing an API: SSL & HTTP Basic Authentication vs Signature

When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of generating another key.

Different APIs seem to do one of two things:

  1. Use HTTP Basic Authentication with SSL

In every request the username is set to the subdomain and the password to the API key. Since we're using SSL then this should be safe from spoofing.

Notable APIs: Google Checkout, Freshbooks, GitHub, Zendesk

  1. Create a Signature of the Request with the Shared Secret

Normally achieved by ordering the key/value pairs and using HMAC-SHA1 with the shared secret to generate the signature. The signature is then sent with the request and verified at the other end.

Notable APIs: Google Checkout, Amazon AWS

PS: thats no mistake, Google Checkout supports both

Edit: Just read that OAuth 2 is dropping signatures in favour of sending a username/password via SSL.

Any opinions from anyone on what to pick: SSL vs Signature?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

HTTP Basic Authentication over SSL is perfectly secure from my research.

After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with.

Therefore passing the username and password without generating a signature is sufficient.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...