Stack Overflow
Stack Overflow

Questions tagged [restful-authentication]

Questions about authentication for RESTful services.

Services designed using REpresentational State Transfer architecture must often authenticate clients. How best to do this can be a complex topic, as in true REST each client request to the server will contain all the information necessary to complete it (including authentication).

Resources

1447 questions
71
votes
4 answers

AngularJS Authentication + RESTful API

Angular+RESTful Client-side Communication w/ API for Auth/(re)Routing This has been covered in a few different questions, and in a few different tutorials, but all of the previous resources I've encountered don't quite hit the nail on the head. In…
couzzi
  • 6,316
  • 3
  • 24
  • 40
69
votes
4 answers

Securing my Node.js app's REST API?

I could do with some help on my REST API. I'm writing a Node.js app which is using Express, MongoDB and has Backbone.js on the client side. I've spent the last two days trying to work out all of this and not having much luck. I've already checked…
littlejim84
  • 9,071
  • 15
  • 54
  • 77
59
votes
5 answers

What does #self.included(base) do in Ruby on Rails' Restful Authentication?

I thought we would do helper_method :current_user, :logged_in?, :authorized? to make these controller methods available for use as helper methods in views. But in Restful Authentication's lib/authenticated_system.rb, I see: # Inclusion hook to make…
nonopolarity
  • 146,324
  • 131
  • 460
  • 740
49
votes
2 answers

What status code should I use when session token is invalid?

When creating a web service (RESTful), what status code should I use when session token is invalid? Currently the one in my company sends me a 404, not found, but I think this is not correct, because the resource exists. Maybe I should use 401…
Ricardo
  • 2,831
  • 4
  • 29
  • 42
43
votes
4 answers

Restful web service authentication

I have a Restful web service API, that is being used by different 3rd parties. Part of that API is restricted (you need username/password to access it). I was wondering what would be the best way of implementing authentication? I'm using https, so…
kevin
  • 2,172
  • 3
  • 18
  • 19
41
votes
5 answers

Securing REST API using custom tokens (stateless, no UI, no cookies, no basic authentication, no OAuth, no login page)

There are lots of guidelines, sample codes that show how to secure REST API with Spring Security, but most of them assume a web client and talk about login page, redirection, using cookie, etc. May be even a simple filter that checks for the custom…
Karthik Karuppannan
  • 839
  • 1
  • 8
  • 9
40
votes
12 answers

Simple way of turning off observers during rake task?

I'm using restful_authentication in my app. I'm creating a set of default users using a rake task, but every time I run the task an activation email is sent out because of the observer associated with my user model. I'm setting the activation…
MediaJunkie
  • 791
  • 1
  • 7
  • 18
37
votes
2 answers

What is the most common way to authenticate a modern web app?

I'm writing a web app (REST API) using Spring, Spring Security. Right now I have Basic authentication and a really straightforward authorization using username, password and roles. I want to improve the security layer but I have no experience with…
Coffemanz
  • 863
  • 2
  • 8
  • 17
35
votes
4 answers

User/Pass Authentication using RESTful WCF & Windows Forms

What is the best approach to implementing authorisation/authentication for a Windows Forms app talking to an IIS-hosted RESTful WCF Service? The reason I ask is I am very confused, after sifting through different articles and posts expressing a…
GONeale
  • 26,302
  • 21
  • 106
  • 149
35
votes
5 answers

How to Secure CouchDB

CouchDB access as a rest service seems insecure. Anyone can hit the database and delete/add documents once it is exposed. What strategies are there to secure the CouchDB?
steveolyo
  • 439
  • 1
  • 4
  • 8
34
votes
4 answers

How to assign basic authentication header to XMLHTTPREQUEST?

I've read many answers of preflight and CORS so please do not post links referencing what I should read. Many of the answers are from a server-perspective, but I am the client in this case. Do I set the origin header? My assumption is that this is a…
carrots
  • 785
  • 1
  • 8
  • 19
34
votes
2 answers

Why does Django REST Framework provide different Authentication mechanisms

Why does Django REST Framework implement a different Authentication mechanism than the built-in Django mechanism? To wit, there are two settings classes that one can configure: settings.AUTHENTICATION_BACKENDS which handles the Django-level…
BillyBBone
  • 3,144
  • 3
  • 23
  • 27
34
votes
3 answers

ASP.net Web API RESTful web service + Basic authentication

I'm implementing a RESTful web service using ASP.Net Web Api. I have concluded to use Basic authentication + SSL to do the authentication part. What is the best/correct way to implement that? My first attempt was to do it manually, parsing the…
alfoks
  • 4,324
  • 4
  • 29
  • 44
34
votes
3 answers

Secured RESTful API that can be used by Web App (angular), iOS and Android

I have to lay out a plan to develop a RESTful API (Python/Flask) that could be used by our future web app (Angularjs) and mobile apps (iOS/Android). I have been researching for three days and have come across several scenarios: Using HTTPS is one…
Houman
  • 64,245
  • 87
  • 278
  • 460
30
votes
2 answers

Dealing with expired access tokens in OAuth2 implicit grant

The specification of OAuth2 states that an authorization server must not issue a refresh token when using implicit grant. In our use case we protect a RESTful API with OAuth2 and use a Single Page Javascript application as a client for this API. As…
Christian Metzler
  • 2,971
  • 5
  • 24
  • 30
1
2
3
96 97