Securing REST API without reinventing the wheel

When designing REST API is it common to authenticate a user first?

The typical use case I am looking for is:

• User wants to get data. Sure cool we like to share! Get a public API key and read away!
• User wants to store/update data... woah wait up! who are you, can you do this?

I would like to build it once and allow say a web-app, an android application or an iPhone application to use it.

A REST API appears to be a logical choice with requirements like this

To illustrate my question I'll use a simple example.

I have an item in a database, which has a rating attribute (integer 1 to 5).

If I understand REST correctly I would implement a GET request using the language of my choice that returns csv, xml or json like this:

http://example.com/product/getrating/{id}/

Say we pick JSON we return:

{
  "id": "1",
  "name": "widget1",
  "attributes": { "rating": {"type":"int", "value":4} }
}

This is fine for public facing APIs. I get that part.

Where I have tons of question is how do I combine this with a security model? I'm used to web-app security where I have a session state identifying my user at all time so I can control what they can do no matter what they decide to send me. As I understand it this isn't RESTful so would be a bad solution in this case.

I'll try to use another example using the same item/rating.

If user "JOE" wants to add a rating to an item

This could be done using:

http://example.com/product/addrating/{id}/{givenRating}/

At this point I want to store the data saying that "JOE" gave product {id} a rating of {givenRating}.

Question: How do I know the request came from "JOE" and not "BOB".

Furthermore, what if it was for more sensible data like a user's phone number?

What I've got so far is:

1. Use the built-in feature of HTTP to authenticate at every request, either plain HTTP or HTTPS.

This means that every request now take the form of:

https://joe:[email protected]/product/addrating/{id}/{givenRating}/

2) Use an approach like Amazon's S3 with private and public key: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

3. Use a cookie anyway and break the stateless part of REST.

The second approach appears better to me, but I am left wondering do I really have to re-invent this whole thing? Hashing, storing, generating the keys, etc all by myself?

This sounds a lot like using session in a typical web application and rewriting the entire stack yourself, which usually to me mean "You're doing it wrong" especially when dealing with security.

EDIT: I guess I should have mentioned OAuth as well.

Don't worry about being "RESTful", worry about security. Here's how I do it:

Step 1: User hits authentication service with credentials.

Step 2: If credentials check out, return a fingerprint, session id, etc..., and pop them into shared memory for quick retrieval later or use a database if you don't mind adding a few milliseconds to your web service turnaround time.

Step 3: Add an entry point call to the top of every web service script that validates the fingerprint and session id for every web service request.

Step 4: If the fingerprint and session id aren't valid or have timed out redirect to authentication.

READ THIS:

https://stackoverflow.com/questions/319530/restful-authentication

Edit 5 years later

Use OAuth2!

Previous version

No, there is absolutely no need to use a cookie. It's not half as secure as HTTP Digest, OAuth or Amazon's AWS (which is not hard to copy).

The way you should look at a cookie is that it's an authentication token as much as Basic/Digest/OAuth/whichever would be, but less appropriate.

However, I don't feel using a cookie goes against RESTful principles per se, as long as the contents of the session cookie does not influence the contents of the resource you're returning from the server.

Cookies are evil, stop using them.

Edit 3 years later

I completely agree with Evert, use OAuth2 with HTTPS, and don't reinvent the wheel! :-)

By simpler REST APIs - not meant for 3rd party clients - JSON Web Tokens can be good as well.

Previous version

> Use a cookie anyway and break the stateless part of REST.

Don't use sessions, with sessions your REST service won't be well scalable... There are 2 states here: application state (or client state or session s) and resource state. Application state contains the session data and it is maintained by the REST client. Resource state contains the resource properties and relations and is maintained by the REST service. You can decide very easy whether a particular variable is part of the application state or the resource state. If the amount of data increases with the number of active sessions, then it belongs to the application state. So for example user identity by the current session belongs to the application state, but the list of the users or user permissions belongs to the resource state.

So the REST client should store the identification factors and send them with every request. Don't confuse the REST client with the HTTP client. They are not the same. REST client can be on the server side too if it uses curl, or it can create for example a server side http only cookie which it can share with the REST service via CORS. The only thing what matters that the REST service has to authenticate by every request, so you have to send the credentials (username, password) with every request.

• If you write a client side REST client, then this can be done with SSL + HTTP auth. In that case you can create a credentials -> (identity, permissions) cache on the server to make authentication faster. Be aware of that if you clear that cache, and the users send the same request, they will get the same response, just it will take a bit longer. You can compare this with sessions: if you clear the session store, then users will get a status: 401 unauthorized response...
• If you write a server side REST client and you send identification factors to the REST service via curl, then you have 2 choices. You can use http auth as well, or you can use a session manager in your REST client but not in the REST service.
• If somebody untrusted writes your REST client, then you have to write an application to authenticate the users and to give them the availability to decide whether they want to grant permissions to different clients or not. Oauth is an already existing solution for that. Oauth1 is more secure, oauth2 is less secure but simpler, and I guess there are several other solution for this problem... You don't have to reinvent this. There are complete authentication and authorization solutions using oauth, for example: the wso identity server.

Cookies are not necessarily bad. You can use them in a RESTful way until they hold client state and the service holds resource state only. For example you can store the cart or the preferred pagination settings in cookies...