How do I implement authentication the restful way?

Question

I\'m building a picture diary on web application google app engine using python. Users can sign up and post pictures to their diary.

Also, I\'m trying to conform as

Answer 1

If "security is a concern" then I would say that you'd be a lot better off using open standards and a library to achieve what you want. The main reason for this is that if you do it yourself, you're very likely to forget something; these standards have had a lot of eyes looking at them, looking for holes.

Your options include (in increasing level of complexity)

Basic authentication and HTTPS

Everything is encrypted, which makes it impossible to compress or look into, it increases the overhead somewhat, using more horsepower on the server, and more perhaps battery power on the client. Simple to implement, since it's well supported by libraries.

Digest authentication

Unencrypted messages pass the wire, but the authentication is securely managed in the Authorization headers. See the wikipedia entry for more information.

OAuth

See how Google is providing OAuth for installed applications. I believe it isn't what you're looking for, since you're not asking to share data between applications, just authenticating users.

Roll your own

If you want to roll your own, I suggest looking at e.g. how Google's (now deprecated ?) ClientLogin used to work.

1. Clients would GET a protected resource, and get a 401 with instructions to perform a GoogleLogin authentication, including a URI for where to perform the login itself
2. Clients (knowing how to do this) POST a request in a specific manner to that URI
3. The server responds with a specific response including a (long) token
4. The client can now perform GET requests to the protected resource with that token.

Statelessness

You cite REST, which dictates that requests should not specifically depend on prior interaction: "... each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server." (fielding) This means that a server shouldn't store conversational context (like an authentication token) in a table.

One way of fixing this is by using any of the token based approaches (where the server tells the client about a token it should use for future requests) where the token is not a random number, but a message to the server itself. To protect yourself from client tampering, it can be signed, and if you're afraid of clients looking at it, you can encrypt it.

Edit: Although I'm not certain, it seems unlikely that Google has a table of all authentication tokens ever issued; The length of their tokens suggests that the token is some encrypted message proving that whoever holds this token actually provided real credentials in some realm at some time.

Answer 2

You could use a combination of HTTPS and HTTP Basic Auth. Both are existing standards and should be secure enough when used together.

Answer 3

OAuth does exactly what you want to do in a standard way.