What client authorization method to choose for api?

A

Anton2016-06-10 17:45:36

User identification

Anton, 2016-06-10 17:45:36

There is a website with support for authorization in a personal account (LC), through sessions. Mobile applications (MP) are being developed for Android and IOS platforms. The task arose to implement authorization in the LC for MP. 2 methods were considered:
1) Simple - Basic Auth using ssl
2) More tricky - * The MP receives a token and uses it in its requests to the CA in the API. * on the API side, requests for actions with the PA are accepted, after checking the presence and validity of the token. If the token is expired, then the process of obtaining the token is repeated Questions: > Please clarify whether I understand the method of protection with tokens correctly. It turns out that it is much more complicated and loads api more than Basic-auth !? using
2 protection through tokens , as I understand this method:
DB
* if the check was successful, the API sends a token in the response. It is recommended to make the token temporary in order to reduce the "window" of the attack in case it is "lost and found by bad people"

> Which method is better to choose and why?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

DuD, 2016-06-10
@DuD

делаете метод getToken. На котором пользователь взамен логина с паролем получает токен. Этот токен пишется в бд со сроком действия. И далее ко всем остальным методам клиент обращается с токеном.
Если хочется еще большей секурности то пусть шифрует токеном все тело сообщения.
SSL must have вне зависимости от выбранного типа.