Topic: RESTful API and authentication

The company I work for has it's own internal ticketing system and some customers want an api to view/create/update their tickets programmatically. 

I'm new to making public API's and I'd like to make a RESTful one.  I don't know how to go about handling authentication. Do they post their username/password and I send them an authenticity_token which they have to pass back to me for every GET and POST?  Or is there some other way? 

Any pointers/articles/etc would be helpful. 

Thanks,
j

Re: RESTful API and authentication

There are good authentication plugins out there already - no need to reinvent the wheel. Look into restful_authentication or authlogic.

Re: RESTful API and authentication

Oh man, I'm sorry.  I forgot to add that I need to do this as a web service.  Does that make any difference? 

I guess I don't understand how the webservice will know who's trying to call it.  Calling current_user (in restful_auth - haven't used authlogic) will figure it out based on the session, right?  Do sessions exist in the RESTful webservice world?  Like I said, I'm new to all this, so I don't know if that's even a stupid question. 

Basically, will all I have to do is provide a sign in/out feature along with whatever other webservices I need, and current_user will work?  Is there anything extra I need to code for?

Thanks

Re: RESTful API and authentication

I don't honestly know. I haven't ever had to use authentication except in the classic web application scenario.

Re: RESTful API and authentication

@jerkah: I have a related problem (iPhone API for a Rails app), did you find a solution to yours?

Re: RESTful API and authentication

@jerkah and tom: I posted in another thread, but anyway: the client can identify itself by passing a secret unique key in the url so that the server knows who is on the other side of the line. So for instance: mysite.com/sqdmqse5qs5f58/some_page smile

Re: RESTful API and authentication

Yeah, restful_authentication will look for a user and password being passed in for http authentication.  So I made a base api controller that all my restful api controllers extend.

class BaseApiController < ApplicationController

  # We don't care about the auth token because each REST request should be standalone
  skip_before_filter :verify_authenticity_token
 
   
  before_filter :login_from_auth    

  def login_from_auth
    @current_user = login_from_basic_auth
  end

end

This will allow your controllers to work the way you'd expect them to. 

curl -H 'Accept: application/xml' -H 'Content-Type: application/xml' -u username:password http://localhost:3000/controller/action

hope that helps

Re: RESTful API and authentication

In addition, if you post/put xml to the url, such as:

curl -H 'Accept: application/xml' -H 'Content-Type: application/xml' -u username:password -d '<thing><thing_attr>16858</thing_attr><more_text>sub</more_text></thing>' http://localhost:3000/controller/action

rails will parse it out and put it into params like you'd expect. 

so params[:thing][thing_attr] would be 16858


Anything else, let me know.

Re: RESTful API and authentication

@jerkah and @tom,

have you found a solution for this? I have a rails web application and I am using authlogic to authenticate users in this application.
Now, my company is going to develop a mobile version of this application and they are hiring a 3rd party to do this. But this mobile developers will be using the webservices that we are providing since we have developed all the logic already. Hence along with other services, I have to provide an API for login to the application and logout from the application. How can I do this? After doing a lot of search in google, i understand that sessions are irrelevant with web service calls. Hence I plan to do the login feature like this: User id and pwd will be provided with this call. The server (my application) will do the authentication using authlogic and will then return a user object if the authentication was successful. This object will have a single access in it. I am planning to reset this token just before sending the response. Hence the mobile application can include this token in all the subsequent requests that involves this user. But my question is regarding the logout API. How can I implement this? I know that I can reset the single access token again when I am receiving the logout service call. Hence further requests with the old token will no longer be valid. Is this the right approach? Suppose the mobile user is not clicking the logout button and the call is not reaching my server and the token is not reset. How can I handle this? Please share your ideas/suggestions/experiences.

Thanks,
A

Re: RESTful API and authentication

Anu wrote:

have you found a solution for this? I have a rails web application and I am using authlogic to authenticate users in this application.

If I would do this today, I would use OAuth2 and the Rails OAuth plugin (https://github.com/pelle/oauth-plugin), to create my own OAuth Provider (see http://stakeventures.com/articles/2007/ … provider). Is authlogic similar to OAuth?

Tom.

11

Re: RESTful API and authentication

tom,

I am confused. Authlogic is a plugin used by users to identify themselves and login interactively to the web application. So my application has a login screen and users enter their email and pwd and submit . Then authlogic is used to validate this user. I already have this part developed. Now, the mobile version also may have a login screen and when the end user enters email and pwd there, that data is passed to the SignIn service . Same with Signout. That means, the users table exists in my application. The data for these users also exists in my application. When I am considering the mobile developers as consumers and authentication their application using the api key, I understand the role of OAuth. Similary there may be another company which will be using my services. But what I am talking about is the users that exists in my application. They just use the mobile interface to enter their credentials and the mobile send that data to my application  and hence my service should be able to validate this user and should be able to return the response. Similarly when they click on the logout link in the mobile interface, the mobile application is invoking the Signout service and this service should do the logout function. This is where I am stuck with. Any thought on this?

Thanks,
Anu