1

I've searched for a while now but couldn't find anything related to my thoughts. I want to build an application with WPF which is getting all user related information sending requests to a PHP script. For every request I use SSL.

When the user registers he only submit his username, password and email address. The password is always stored as a hash in the application using sha256 and this hash is stored as another hash using password_hash in PHP.

After the login the application is sending a request based on the users action. To verify each request I came across oAuth2. Is oAuth2 the "best practice" to verify requests or is there another way to do it? It is necessary to verfiy each request after the login.

wHaT
  • 57
  • 2
  • 8

2 Answers2

1

OAuth is probably going to be your best bet. Being able to validate requests and revoke tokens is key when working within applications now a days. Many of the top websites, Facebook, Twitter, Instagram, etc. all use OAuth due to it's robust authentication and flexibility.

For my company, we have custom built API's and utilize OAuth for all of them. Even though they are private API's, OAuth gives us the ability to push for public use later if we so pleased.

Not sure exactly what your project is or how it functions, and quite frankly, I don't need to. In my opinion, you cannot go wrong utilizing OAuth.

RhapX
  • 1,663
  • 2
  • 10
  • 17
1

There are two common ways of securing an API request:

  • Basic authentication. A header of the form

    Authorization: Basic base64(username:password)

    is sent along with every request. This is simple to implement, but also simple to attack; you absolutely must be sending the requests over HTTPS (since no encryption is being used).

  • Some form of OAuth. You might use the password grant type for a scenario like yours: you send the username and password to the OAuth server and request an access token that can be used on each request. This is more secure, and more complicated, because you have to implement a token server.

What you choose depends on a lot of factors, like whether your service is internal or external, how much complexity you want to build into the project, and who the target users are.

Further reading:

Full disclosure: I work at a company that builds an API for this.

Community
  • 1
  • 1
Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
  • It is a learning process where I want to learn the best practice. Because basic authentication is too easy and not that secure I will give OAuth a try. Now I will do a lot of research and see if I can get into this. – wHaT Aug 06 '15 at 00:46
  • If you've never done any authentication-layer stuff before, implementing Basic on both sides would be a great exercise. Then you can move on to more advanced stuff. – Nate Barbettini Aug 06 '15 at 01:12
  • Thanks for the advice. I will first implement Basic to see how it works. – wHaT Aug 06 '15 at 12:28