So, I’ve been doing some research for some security stuff I’ve got coming up, and I’m looking out how to handle authentication for a RESTy HTTP API.
I’ve heard good things about OAuth2 (which sounds like overkill for my needs), and some about JSON Web Tokens, and a few other things. I’ll Google my way to success there.
What I don’t have are horror stories or “oh god we should’ve never done that” about this sort of thing. Would anybody here be brave/willing enough to share some hard-earned experience on the matter?
It’s usually more useful to know what failed than what happened to work.
Context: Embedded enterprise deployment, no network access to outside (for the sake of argument), integration with existing LDAP stuff (done and working), no required integration with other web servers.