16

I am designing a RESTful API which will always communicate over HTTPS. Is there any reason to use a scheme like OAuth when running over HTTPS? I am particularly interested whether or not aspects like HMAC-signed requests, nonces, and timestamps are useful when the entire communication is encrypted.

It seems like any authentication scheme over HTTPS is sufficient but I just wanted to get a second opinion.

Improve this question
2
  • OAuth can enable your API to ask for user permission, when 3rd party app wants to use the API on behalf of your users. The other benefit is in case you want to protect your API to be used by certain 3rd party application (consumer), and to divide different permissions and level access to different consumers. If user permission is not required, and API usage will be restricted by basic authentication only, and no API level access is needed, maybe HTTPS with basic authentication is sufficient. Commented Mar 24, 2011 at 18:39
  • I have this exact scenario If user permission is not required, and API usage will be restricted by basic authentication only, and no API level access is needed and the WS over HTTPS but I don't need to make the Client to store the username/password once login for subsequent calls! Commented Jan 20, 2012 at 7:28

1 Answer 1

Reset to default
12

Well, that's the whole theory behind OAuth 2. Instead of the complicated signature mechanisms of OAuth 1, you just rely on transport-layer security and focus on the authorization piece of the puzzle. The HTTPS protocol does not solve the authorization piece, so you still need OAuth 2 for that.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I second that answer. Going for oAuth 2 is good enough when over SSL. OAuth 2.0 seeing increasing adoption and will hopefully be a full fledged specification soonish.
OAuth 2 is now RFC 6749.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.