I liked Flickr’s now-deprecated hash-the-params authentication because it was simple (though flawed, it is fixable).
Now it seems like most sites are using OAuth 1.0(a) with some using OAuth 2. I hate the complexity and multiple-round-trips required with OAuth, but it seems like it’s widely supported in most languages so implementation for end-developers isn’t that difficult. Though it looks like the OAuth 2 spec is still changing, so is it not recommended yet? I see a few larger sites are using it like Instagram and Reddit.
What is the latest word in vulnerabilities in OAuth related to implementing an OAuth provider?
Most new APIs I see use OAuth2. Mashape just published a great guide, the OAuth Bible.
Use the OAuth 2.0 Two-legged flow, which is pretty simple. You can also generate keys for developers automatically, so they don’t have to go through the flow for development.
I haven’t really messed with it but maybe Mozilla’s Persona is worth checking out. Here’s a nice little read on some security concerns.
We’ve been debating this on the Diaspora loomio…we’ve come to the general consensus that Persona is not a scalable solution for persistently logged-in user accounts. But a public site like HN might benefit from it, because they wouldn’t need to keep track of passwords (and hash them, keep up to date w/security, etc.) anymore.
Also, I really like how Github has Basic HTTP auth with your API key and username, as well as OAuth capabilities.
While I’m a huge fan of Persona, I don’t think it’s viable for API authentication. Persona is all about website authentication and assumes that a human will be logging in via a browser.