0

I'm constructing an application with 2 sides: client (iPhone) and Server (PHP). Communication using https. The mobile phone gets a 4SQ access token. Then, it sends that token to the server, and the server will make 4SQ API calls using it. My question is about how to send this token.

My idea was to include the token in the HTTP Authentication request's header, but after reading about basic/digest authentication, I suspect it isn't the way of doing it. Actually, the calls to 4SQ API are done using a request parameter

oauth_token=ACCESS_TOKEN

instead of putting the token in Authentication header, or any other place. I'm sure there's a good reason for that, but I can't find it.

Then, which option is the best?

  • Phone sends token to PHP server as request parameter, like 4SQ does
  • Phone sends token to PHP server in Authentication header (which kind oh authentication is?)
  • Any other way

Many thanks in advance, and best regards

Jorge Arévalo
  • 2,858
  • 5
  • 36
  • 44
  • I forgot to mention something. The server produce a JSON output and sends it to the client. No HTML/XML involved at any point. – Jorge Arévalo Apr 26 '12 at 15:31

1 Answers1

1

I think the most secure and reasonable way would be a HTTPS POST. When the token is part of the query string in a HTTPS request, it is also encrypted. But it will appear clear text in the server log, or, when a browser is used, it could also appear in the browser history. Depending on the HTTP helper library, it could also log the HTTPS URL, when, for example, a request fails.

In my eyes, sending the token in the Authentication header would be strange, since it is not used for authentication between the server and the client.

diewie
  • 754
  • 4
  • 8
  • Mmmm... I see your point, but I'll put more context: I'm constructing a 4SQ mashup. One server that comunicates with 4SQ on behalf of a user and that provides a REST API to iPhone/Android clients. When those clients sign up, they send their 4SQ token to the server. How do I send this token? HTTP Authentication header? You're right: it's not used for authentication, is just a "here is my 4SQ token, use it in my name". Sending it as POST variable is a better, or more correct, approach? – Jorge Arévalo Apr 28 '12 at 21:24
  • Apart from that, I have another problem. The only authentication-related thing I want the clients to send to my server is the 4SQ token, when they sign-up. Nothing more. I don't really want to deal with user/password issues. If one client sends my server a valid 4SQ token, the server trusts it. That's my approach. With this approach, I'd need the 4SQ token in every client-server request. I thought to generate a second token in my server, based on the 4SQ token, and use it instead the 4SQ one. But I don't know which method use to generate this second token, or if that is conceptually correct... – Jorge Arévalo Apr 28 '12 at 21:37
  • When you do not need to save anything for a user, it is perhaps the best solution to send the Foursquare token with every request. Else, you could generate a unique id for a user and save the OAuth token alongside with this id (e.g. http://php.net/manual/de/function.uniqid.php). In that case, an attacker could abuse your API and not directly access your user's Foursquare account. – diewie May 02 '12 at 13:19