1. 10

So, I’ve been doing some research for some security stuff I’ve got coming up, and I’m looking out how to handle authentication for a RESTy HTTP API.

I’ve heard good things about OAuth2 (which sounds like overkill for my needs), and some about JSON Web Tokens, and a few other things. I’ll Google my way to success there.

What I don’t have are horror stories or “oh god we should’ve never done that” about this sort of thing. Would anybody here be brave/willing enough to share some hard-earned experience on the matter?

It’s usually more useful to know what failed than what happened to work.

Context: Embedded enterprise deployment, no network access to outside (for the sake of argument), integration with existing LDAP stuff (done and working), no required integration with other web servers.

  1.  

  2. 3

    Valve/Steam recently announced their discontinuation of an Oauth2 api. From my limited experience and what I’ve heard, Oauth* is a convoluted nightmare to implement and to use. And from your description it’s probably the wrong tool for the job - its purpose is cross-application authorization, not so much end user connections.

    (Short and quick response from my phone)

    1. 4

      OAuth 1 is not that bad, but the thing people miss is that OAuth 2 is not a replacement for OAuth 1.0, it’s an “alternative”, an horrible alternative, so much that the lead author and editor asked his name to get removed from the specs.

      If you can find a working server/client implementation of OAuth 1.0, I’d say go for it.

      1. 1

        Unfortunately, in the healthcare space, somebody actually managed to get on the computer and discover OAuth2, and, well, we can all guess the rest.

        Again, I’m looking at alternatives–but I’d really appreciate some war stories from older and greyer beards or beardettes.

    2. 1

      I’ve done OAuth 1, OAuth 2 and JWT. All of them are perfectly usable. So don’t panic, there are no truly bad choices here.

      My one “oh god we should’ve never done that” is implementing the OAuth 1.0 spec by hand. It looks just simple enough that you can, but it’s a pain; it’s less effort to find a working library and plumb it into your framework than try to write your own implementation that’s idiomatic for your HTTP framework. But honestly even that wasn’t such a big deal.