Authentication and REST

I have implemented a win service. I 'd like to extend it to have some features enabled via REST. I have implemented it using WCF rest features and it works as I want. So far so good.

My problem is security and authentication. As I know there is no 'one way' for authentic开发者_运维技巧ation I have read several articles about it...also here and other forums, blogs over the internet...and I'am totally lost. I have read pros and contras about SSL, OAUTH, HMAC and so on.

The feature I need is to authenticate user somehow, user name/password would be the best way for me.

These users are coming from internet browsers, but later I plan to have some more clients in the future, like Android or IPhone apps.

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

Thanks!

.Net4/WCF/Visual Studio 2010

So, which do you think the best (and simplest...) way to authenticate a user for a rest protocol?

The simplest RESTful authentication scheme is definitely HTTP basic authentication. Of course, it is not very secure but it can be a first step.

On the server-side, you can do it with zero code, by just setting up an HTTP reverse proxy (Apache, Cherokee or any other).

On the client-side, it is also zero code most of the time (with Java, .Net, jQuery.ajax, plain XMLHttpRequest, etc.).

By definition any means of authentication would require per-user state. Even if that state is in the form of a password or api key. But this part of the REST is disregarded by every REST api I have ever used because they all require an API Key. Perhaps REST isn't the best option when security is a concern. Browsers are good at keeping track of session id's and using a session id is more secure than an API key because the value expires. Using a session id is a very secure and proven design pattern although it is "less RESTful". However the overhead requirements are quite minimal.

If you want to authenticate over HTTP for HTTP or REST service, just follow what AWS does. It works, it's in production, there's examples of implementation (both the client and server side).

http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html