So how do I work authentication into an API?

We've built a RESTful API that's really easy to use. The question now is how do I build in authentication? My app itself has uses acts_as_authenticated to manage authentication when someone is using the app. But what about when they're using the API remotely instead? I'm not sure how to handle that. Thanks for any info.

Pat

Use HTTP AUTH. Check this out for more information: http://blogs.23.nu/c0re/stories/7409/

There's also the restful_authentication plugin: http://svn.techno-weenie.net/projects/plugins/restful_authentication/

I actually am using the restful_authentication plugin to handle authentication...it'd be sweet if I could just use that without making too many changes.

Basically the problem is that the authentication is stored in the session (as the first link discusses). So if my client code isn't managing a session, I can't use it.

Net::HTTP.start('localhost', 3000) do |http|   http.post "/sessions", "login=myusername&password=mypassword"   response = http.post "/users/7/books", "book[title]=supercool"   puts response.body end

That should create a new book resource, but it just redirects to the login page. I can only assume that it's because Net::HTTP.start doesn't actually handle session stuff.

One approach that I've seen is to have an API key and pass that in as a parameter on requests. That seems like it'd probably be the easiest approach. I don't know if it's best though.

I'd like to figure out the best way to do this, ideally just using restful_authentication and all the user info I have right now. Clients are going to be whatever they want to be...I just need a way of controlling access to the resources we're exposing.

Pat

Actually, it looks like it'll be really easy with HTTP AUTH. http://ryandaigle.com/articles/2006/12/4/whats-new-in-edge-rails-new-http-authentication-plugin-and-a-plea-to-contribute has info on a new http auth plugin. I tried it out just now and it seems to work great.

So the only consideration here is that every single request requires that the username and password be included in the URL. Is that a bad thing? Obviously a client can wrap that up, but I'd just like to know if it's bad for some reason to have to include auth info in each request. One possibly downside is that either all auth info is unencrypted from now on, or every request has to be done through SSL.

Pat