Best IT Recipes

2-way OAuth and REST

I would like to host the online service on my company's intranet on the Internet so that partners can access the information provided by the online service. Right now the web service is in SOA, and I decided to move everything to the RESTful web service, therefore in a web-oriented architecture. I am considering some security aspects that I must consider in order to complete this operation.

I do not know which solution might be more useful in my case. I have already looked for HMAC, OAuth information, but I would like to know if it is possible to use OAuth without introducing the third part.

For example, a partner wants to enter a website and then continue navigating, is bidirectional OAuth useful for my needs? Is there any other useful security solution to perform this operation?

Really thanks.

+3
rest oauth
Nov 21 '10 at 19:29
source share
1 answer

Yes, OAuth supports the two-legged case; just omit the oauth_token parameter, and then use either HMAC-SHA1 (shared secret) or RSA-SHA1 (public key) as desired. It is worth noting that signatures do not cover everything that an API client can send; it does not cover the body of PUT requests or the body of POST requests that do not represent a view.

You can simply learn HTTPS + Basic Auth, as this will allow you to use many ready-made programs (Apache or their equivalent) without having to add subscription libraries to your client and server.

+1
Dec 26 '10 at 13:33
source share
— -


More articles:


All Articles