Security of REST authentication schemes

by

A previous answer only mentioned SSL in the context of data transfer and didn’t actually cover authentication.

You’re really asking about securely authenticating REST API clients. Unless you’re using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant for most REST APIs because you really want to authenticate the client.

If you don’t use TLS client authentication, you’ll need to use something like a digest-based authentication scheme (like Amazon Web Service’s custom scheme) or OAuth 1.0a or even HTTP Basic authentication (but over SSL only).

These schemes authenticate that the request was sent by someone expected. TLS (SSL) (without client authentication) ensures that the data sent over the wire remains untampered. They are separate – but complementary – concerns.

For those interested, I’ve expanded on an SO question about HTTP Authentication Schemes and how they work.

More Related Contents:

  1. RESTful Authentication
  2. S3 REST API and POST method
  3. Place API key in Headers or URL
  4. RESTful URL design for search
  5. What is the proper REST response code for a valid request but an empty data?
  6. Amazon S3 direct file upload from client browser – private key disclosure
  7. HTTP response code for POST when resource already exists
  8. XDebug and RESTful server using PHPStorm or POSTman
  9. REST Complex/Composite/Nested Resources [closed]
  10. What is the advantage of using REST instead of non-REST HTTP?
  11. What are the main differences between JWT and OAuth authentication?
  12. What is REST? Slightly confused [closed]
  13. Transactions across REST microservices?
  14. Designing URI for current logged in user in REST applications
  15. RESTful Services – WSDL Equivalent
  16. Unable to upload zip file through karate framework
  17. What’s the best RESTful method to return total number of items in an object?
  18. Firefox Add-on RESTclient – How to input POST parameters?
  19. Spring 4 RestController JSON: characteristics not acceptable according to the request “accept” headers
  20. Jersey with Struts2 [duplicate]
  21. REST API Authentication
  22. Should I use Singular or Plural name convention for REST resources?
  23. How to download excel (.xls) file from API in postman?
  24. Where can I find jenkins restful api reference? [closed]
  25. Is it correct to return 404 when a REST resource is not found?
  26. REST API for website which uses Facebook for authentication
  27. When is it appropriate to respond with a HTTP 412 error?
  28. Websocket vs REST when sending data to server
  29. ‘Best’ practice for restful POST response
  30. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

Leave a Comment