Authenticating REST API clients for just my App

Question

What is the best way to authenticate clients that uses my private REST API? I will not be opening this to outside public. Is there a easy and secure way to do this?

Note: I'm running SSL already. I've looked at HTTP Basic Auth over SSL, but I don't want to ask the user to send the password every time, and it seems not good practice to store the user/pass in the client to be send automatically.

Any ideas or best practices?

Answer 1

You can use the most adopted authentication approach which is OAuth You select the best suited one between OAuth 1.0a and OAuth 2.0

Here is a comparison between the above two ways : How is OAuth 2 different from OAuth 1?

Answer 2

There are several levels to implement security / authentication in RESTful services:

• Basic authentication. Username and password are sent for each call within the Authentication header encoded with based 64.
• Token-based authentication. This implies a dedicated authentication resource that will provide temporary token based on credentials. Once received there is no need to use again credentials since this resource also gives a refresh token to a new authentication token when the previous expired.
• OAuth2. It provides different flows according to the use cases. It allows to let the end user to authenticate through a third-part provider (google, facebook, ...). The application doesn't manage username / password (and even know the password). The drawback of this technology is that it provides high-level hints and it's not so simple to implement.

Here are some links that could provide you some additional hints:

• Implementing authentication with tokens for RESTful applications - https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
• OAuth2 flows - http://www.bubblecode.net/en/2013/03/10/understanding-oauth2/

Hope it helps you, Thierry