1

I need to create a simple web application for track expenses, with some basic actions (user must be able to create an account and log in, list expenses, edit them, etc) with a REST API for each one, and the trick is that I need to be able to pass credentials to both the webpage and the API.

So, after some research I've found some examples using Digest Authentication and HMAC Authentication but lot of posts also mentioned OAuth as an alternative approach, so my question is, given this scenario, would be proper to use OAuth? I mean, as far as I understand OAuth is suitable when you want to share resources with other application, which I'm not doing for this project; besides that, when you try to access the shared resource it appears a page requesting permission for the foreign application, would that page appear at some point in my application? (maybe after the login?)

In case OAuth wouldn't be suitable, is there any other option besides Digest authentication and HMAC authentication?

Improve this question

1 Answer 1

Reset to default
0

OAuth 2 is a token-passing scheme. There are several different ways you can get an OAuth server to grant you a token. Once you have the token, you pass it into the service (over SSL, to protect it), and if the token is good -- and not expired -- then you can get the page or information you want.

The token-passing scheme is very easy to work with. It's very similar to a "session ID" that you send to the service, except that it comes as an Authorization header instead of a cookie or query parameter.

The part that might make OAuth harder for you is setting up the authorization on the server side; there are several server-side implementations of OAuth out there, but configuring them for what resources are protected and what aren't is a little more complicated than just having a list of usernames & passwords. There is also the "scope" allowed a client, what grant types are available to a client, and what resources that client can access. It might require a little more learning curve than something simple like Digest or HMAC.

Also, while I've protected a lot of REST services with OAuth, I've never protected web pages. So I'm not sure how to do that. With a template-driven framework like Spring MVC, their OAuth solution would fit in very nicely. Short of that, though, I'm not sure how you'd go about it (getting the browser to attach the right Authorization header to pull a page).

OAuth is more versatile than the other schemes, though, so if you're putting together a business site (as opposed to your own project) the extra learning curve and setup time could be worth it.

Improve this answer
1
  • Thank you very much @Rob Y, I really appreciate your answer, it clarified me some concepts Commented Jun 26, 2014 at 23:32

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.