How to make REST API to be used by registered applications

Question

I have REST API and to make it more secure I would like restrict the access to the registered applications or websites only.

Now these client applications could be web app or mobile app under Android/Windows/BlackBerry/Apple etc.

Also I can't ask the client apps to modify there code to store any value being provided by my rest API to get registered. (as these apps may or may not be using database or other persistent media).

WCF REST API should not that the caller is registered with it or not.

Any suggestions how to do it.

Which framework are you using to implement your current REST API? — steve cook, Jul 27 '13 at 16:43
You might find this useful then: http://stackoverflow.com/questions/16830243/asp-net-combining-forms-authentication-and-basic-authentication — steve cook, Jul 30 '13 at 16:28

steve cook · Answer 1 · 2013-07-27T16:49:17.540

2

Using HTTP Basic Authentication (as long as your REST service is running under HTTPS) is a pretty standard way to do this. You then generate a login/password for each registered app that you want to access your API.

[EDIT: more details here: http://en.wikipedia.org/wiki/Basic_access_authentication

Basically when a client connects they need to Base64 encode their username/password and attach it into the standard HTTP Authorization header. Your server application reads the header, decodes and extracts the username/password and checks it with your list of authorized applications.

NOTE - the header is only base64 encoded, so the username/password are effectively plain text. You really should be running HTTPS if you want to use this authentication method, otherwise the header is open to interception]

edited Jul 27 '13 at 16:49

answered Jul 27 '13 at 16:05

steve cook

3,116
3
30
51

Even though the rest service is running under HTTPS, but our mobile app needs to pass it in the header and to do that, username/password need to be store in the package....which can be decompiled and is subject to security threat..... – Anil Purswani Jul 30 '13 at 05:06
1

If you are distributing an app that needs to access the service, it's still open to being hacked, no matter what authentication/authorisation mechanism you use. That being said, a lot of web apps require two levels of authentication - one being the app key, and one being a unique username for each user. You can either combine them into a single pass-key, or have a REST call that you pass a username/password/appkey combination and returns a unique ticket that is required for subsequent calls. – steve cook Jul 30 '13 at 16:33

How to make REST API to be used by registered applications

1 Answers1