Creating an API for wandering applications – Hallmark and Authorisation – Hatful Flood

I’m sounding to produce a (Residual) API for my lotion. The initial/principal function bequeath be for expenditure by roving apps (iPhone, Humanoid, Symbian, etcetera). I’ve been look into unlike mechanisms for hallmark and authority for web-based APIs (by perusing early implementations). I’ve got my brain enwrapped about nigh of the underlying concepts but am distillery looking counsel in a few areas. The conclusion matter I deprivation to do is reinvent the pedal, but I’m not determination any banner solutions that fits my criteria (still my criteria my be mistaken so tone disengage to criticism that too). Additionally, I deprivation the API to be the like for all platforms/applications overwhelming it.

I’ll go forrader and dispose my expostulation to oAuth since I experience that testament belike be the get-go root offered. For wandering applications (or more specifically non-web applications), it fair seems damage to will the coating (to attend a web-browser) for the hallmark. Additionally, thither is no way (I am mindful of) for the browser to restitution the recall to the covering (particularly cross-platform). I experience a duet of apps that do that, but it fair feels improper and gives a break the covering UX.


  1. Exploiter enters username/parole into lotion.
  2. Every API birdcall is identified by the vocation diligence.
  3. Viewgraph is unbroken to a minimal and the auth scene is visceral for developers.
  4. The mechanics is guarantee for both the end exploiter (their login certificate are not open) likewise as the developer (their diligence credential are not open).
  5. If potential, not demand https (by no substance a laborious requisite).

My Stream Thoughts on Execution

An international developer leave asking an API history. They leave invite an apikey and apisecret. Every bespeak testament need at minimal ternary parameters.

  • apikey – apt to developer at regisration
  • timestamp – doubles as a unequaled identifier for apiece content for a presumption apikey
  • hasheesh – a hashish of the timestamp + the apisecret

The apikey is compulsory to place the diligence issue the quest. The timestamp acts likewise to the oauth_nonce and avoids/mitigates rematch attacks. The hashish ensures that bespeak was really issued from the possessor of the disposed apikey.

For documented requests (ones through on the behalf of a exploiter), I’m silence open betwixt leaving with an access_token itinerary or a username and watchword hasheesh combo. Either way, at about spot a username/countersign combo volition be needed. So when it does, a hasheesh of various pieces of data (apikey, apisecret, timestamp) + the countersign would be victimized. I’d bang feedback on this prospect. FYI, they would suffer to hashish the parole outset, since I don’t fund the passwords in my organisation without hashing.


FYI, this isn’t a petition for how to body-build/construction the API generally but how to grip the certification and potency from exclusively inside an diligence.

Random Thoughts/Incentive Questions

For APIs that solitary need an apikey as share of the bespeak, how do you forestall somebody otherwise the apikey proprietor from existence able-bodied to see the apikey (since sent in the elucidate) and pee-pee undue requests to advertise them concluded custom limits? Perhaps I’m scarce complete thought this, but shouldn’t thither be something to authenticate that a asking was verified to the apikey proprietor? In my lawsuit, that was the determination of the apisecret, it is ne’er shown/transmissible without existence hashed.

Speechmaking of hashes, what most md5 vs hmac-sha1? Does it real issue when all of the values are hashed with with sufficiently yearn information (ie. apisecret)?

I had been antecedently considering adding a per exploiter/row saltiness to my users parole hasheesh. If I were to do that, how could the diligence be able-bodied to produce a coordinated hasheesh without intentional the salinity victimized?

asked Oct 18 ’10 at 22:21

the inquiry is hone but, evening nigh 2 geezerhood late, oauth implementations appear to be arcane. i am having the hardest metre achieving just what you suffer discussed supra. i bear an extra property: i do not need to use a loginName/word couplet – i deprivation to use google individuality substantiation on the humanoid / ios (symbian was stated by WWF a nearly-extinct species) and i decline author post link to modernise for windows roving (whatsoever they song it these years). tony gil Jul 30 ’12 at 22:57

So what you’re afterwards is about kinda waiter incline hallmark mechanics that testament handgrip the certification and authority aspects of a nomadic covering?

Assumptive this is the suit, so I would coming it as follows (but lonesome ‘cos I’m a Coffee developer so a C# guy would fuck otherwise):

The Reposeful assay-mark and say-so overhaul

  1. This leave oeuvre solitary ended HTTPS to forestall eavesdropping.
  2. It leave be based on a combining of RESTEasy. Leaping Surety and CAS (for ace contract crossways multiple applications).
  3. It leave oeuvre with both browsers and web-enabled node applications
  4. Thither testament be a web-based chronicle direction port to let users to delete their details, and admins (for detail applications) to alteration authorization levels

The guest slope certificate library/diligence

  1. For apiece supported chopine (e.g. Symbian, Humanoid, iOS etcetera) make a desirable execution of the protection library in the indigene speech of the chopine (e.g. Coffee, ObjectiveC, C etcetera)
  2. The library should oversee the HTTPS asking organization victimization the useable APIs for the apt program (e.g. Coffee uses URLConnection etcetera)
  3. Consumers of the cosmopolitan certification and sanction library (‘cos that’s all it is) volition encipher to a particular port and won’t be felicitous if it always changes so brand trusted it’s really conciliatory. Trace existent invention choices such as Give Surety.

So now that the survey from 30,000ft is discharge how do you approach doing it? Easily, it’s not that gruelling to produce an hallmark and sanction organisation based on the listed technologies on the waiter face with a browser node. In combining with HTTPS, the frameworks bequeath furnish a fasten treat based on a divided nominal (unremarkably presented as a cooky) generated by the certification operation and exploited whenever the exploiter wishes to do something. This tokenish is presented by the guest to the waiter whenever any postulation takes billet.

In the lawsuit of the local peregrine covering, it seems that you’re afterwards a result that does the next:

  1. Node lotion has a outlined Admittance Ascendancy Tilt (ACL) controlling runtime entree to method calls. E.g., a precondition exploiter can understand a assembling from a method, but their ACL lone permits admittance to objects that birth a Q in their discover so about information in the collecting is quiety pulled by the certificate interceptor. In Coffee this is straight, you good use the Give Certificate annotations on the career encrypt and apply a suited ACL reply procedure. In otc languages, you’re on your own and testament likely indigence to furnish boilerplate certificate encipher that calls into your certificate library. If the nomenclature supports AOP (Expression Orientated Programing) so use it to the fullest for this place.
  2. The protection library caches the over name of authorisations into it’s individual store for the stream lotion so that it doesn’t birth to continue machine-accessible. Contingent the duration of the login seance, this could be a one-off process that ne’er gets recurrent.

Any you do, don’t try to forge your own certificate protocol. or use surety by reconditeness. You’ll ne’er be able-bodied to spell a punter algorithm for this than those that are presently uncommitted and unfreeze. Likewise, citizenry reliance advantageously known algorithms. So if you say that your certificate library provides dominance and certification for local roving applications victimization a combining of SSL, HTTPS, SpringSecurity and AES encrypted tokens so you’ll straightaway sustain creditibility in the mart.

Promise this helps, and luckiness with your guess. If you would wish more information, let me recognise – I’ve scripted quite few web applications based on Springiness Surety, ACLs and like.

First-rate later to the company but I treasured to quit around extra points to conceive for anyone concerned therein matter. I oeuvre for a accompany doing wandering API protection solutions (approov ) so this solid country is decidedly relevant to my interests.

To scratch with, the well-nigh significant matter to believe when nerve-racking to ensure a wandering API is how often it is deserving to you. The correct root for a rely is unlike to the rightfield root for somebody good doing things for fun.

In the proposed solvent you credit that a minimal of leash parameters volition be mandatory:

  • apikey – presumption to developer at adjustment
  • timestamp – doubles as a unequalled identifier for apiece content for a minded apikey
  • haschisch – a haschisch of the timestamp + the apisecret

The deduction of this is that for approximately API calls no username/word is compulsory. This can be utilitarian for applications where you don’t wishing to power a login (browse in on-line shops e.g.).

This is a slimly unlike job to the one of exploiter hallmark and is more wish certification or attestation of the package. Thither is no exploiter, but you stillness neediness to control that thither is no malicious admission to your API. So you use your API arcanum to signaling the dealings and key the inscribe accessing the API as actual. The potentiality job with this root is that you so sustain to rat the mystery inner every variation of the app. If person can excerption the mysterious they can use your API, impersonating your package but doing whatsoever they ilk.

To buffet that menace thither are a lot of things you can do contingent how worthful the information is. Befuddlement is a dim-witted way to survive harder to distil the mystic. Thither are tools that volition do that for you, more so for Humanoid, but you quieten bear to let encrypt that generates your haschisch and a sufficiently skilled soul can constantly hardly shout the part that does the hashing straight.

Another way to extenuate against unreasonable use of an API that doesn’t expect a login is to gun the dealings and potentially describe and pulley surmise IP addresses. The quantity of endeavor you lack to attend bequeath mostly ride how valuble your information is.

Bey that you can easy jump acquiring into the arena of my day job. Anyways, it’s another scene of securing APIs that I guess is crucial and treasured to iris up.

This entry was posted in Article. Bookmark the permalink.

Comments are closed.