1

I authorize all REST API requests by checking token in Authorization header:

POST /rest/resource HTTP/1.1
Host: domain.com
Authorization: Bearer AbCdEf123456

The token is plain text, using HTTPS. However, the token is salted and hashed in the database.

How could I authenticate the request?

  • send also user id to the server, select token hash for this user from the database, check if the token is correct (issue with sending user id - where to put it)
  • check if some hash in the database corresponds to the token received from the user (performance issue)

There must be some elegant way since for example for google maps the "API key" (token) is sufficient.

Petr B
  • 519
  • 2
  • 6
  • 15

1 Answers1

0

Use JWT (JSON Web Token) as authorization bearer. JWT can have user id in the payload. You can also easily verify if JWT was issued by trusted party (probably you). The good thing is that you can verify JWT without reading values form database. It is completely stateless.

This is simple explanation how JWT works: http://www.intridea.com/blog/2013/11/7/json-web-token-the-useful-little-standard-you-haven-t-heard-about

You can find library for JWT for almost any language (just google it)

Piotr Bochynski
  • 382
  • 2
  • 9
  • That looks really good. Appart from the fact, that the hash is reallyyyy long. I still don't understand how Google does it with only "short" API key. – Petr B Oct 16 '14 at 06:10
  • API key is something different. It is just identifier of your client. But it is not used for authentication or authorization. You cannot use API key for secure access to your data (for example to read your contacts). For such operation you need to get access token which probably is stored somewhere (and require lookup on server side). – Piotr Bochynski Oct 22 '14 at 10:11