What is the best authentication method for web service

Question

What is the best authentication method for web service

We have a .NET web services API. People currently use the SOAP definition to use the API because we require authentication through a custom authentication element in the SOAP header. Works great. OK.

SOAP requires the request to be POST. We want to allow users to use the GET verb (so it can be cached).

So, what is the best way to offer a simple GET API (it’s not necessary to be a web service!) That also offers authentication?

Example API Route:

http://www.blah.com/api/Search?query=Foo

Is this an acceptable and common practice?

http://www.blah.com/api/Search?query=Foo&Key=<some guid>

NOTE. I also do not want to implement SSL and do not install additional software or plugins in IIS, etc. etc.

+6

authentication .net web-services

Pure.Krome Nov 07 '08 at 1:12

source share

5 answers

tvanfosson · Answer 1 · 2008-11-07T03:37:56+0000

If the web service is to be protected, and I assume that it exists, since you currently have an authentication header, then you should reconsider using GET and not use SSL, at least for the authentication part. At a minimum, I would put an authorization request via SSL in a web service / application. If you do not want to provide authentication for each request, you will need to accept back (and generate in the service) an authorization cookie, which the consumer can use for subsequent requests.

I would not use authentication in the URL for the very reason that you want to support GET - if the URL can be cached, then the credentials will also be cached. This violates the security of the web service because anyone can reuse cached credentials.

Thomas Eyde · Answer 2 · 2008-12-24T13:45:23+0000

If your clients are in the same domain, you can enable integrated Windows authentication in your IIS application. Now your application will only accept authenticated Windows users. Add your own RoleProvider for finer, role-based detail.

Vincent · Answer 3 · 2008-12-23T12:50:21+0000

Using only the GET API, I will have the first method that retrieves the unique session identifier.

For example: GET / api? action = auth & username = user & password = hashedpassword Would return a 16 character token that you store on your side, and you need this unique token for each subsequent call.

If the API was executed in PHP, you can use its PHP session processing functions to achieve this goal (it has a timeout / garbage collection). Similar features exist in ASP.NET.

It is vulnerable to re-attack (someone captures or guesses the session identifier), but if you need something simple, this is the way to go. Any non-HTTPS website will be vulnerable in the same way. You can associate a session ID with a user's IP address for added security.

khebbie · Answer 4 · 2008-12-24T08:55:18+0000

If you use WCF, you can use the built-in security mechanisms. If you do not want to use a standard framework for security, you are most likely to do security through obscurity.

Rob fuller · Answer 5 · 2008-12-24T15:21:47+0000

Like Thomas Aid, answer: you can use a single login system, such as siteminder, to protect the URL. The caller requests the need to include a token, which is usually stored in a cookie, but can be added to the query string.

Any SSO or web service management platform will intentionally make authentication difficult if it does not use SSL.

What is the best authentication method for web service

More articles: