What is the right way to authenticate to a REST API used by mobile applications?

Asked

Viewed 3,516 times

9

Actually there are two questions (with the right to subquestions).

  1. Today I have an already implemented token generation engine (inherited from a web application) that I am using in my REST* API for mobile applications. The apps encourage the user to leave saved login and password to avoid constant rewriting, so the validation of these credentials in order to get the initial token turns out to be an automatic step in the applications. The tokens have a size close to 2KB. I don’t have much experience with authentication and wanted to know the correct way to implement authentication in the API in this case, for example if the token should go in the header Authentication and whether my API should respond to an invalid token by returning HTTP status 401 - Unauthorized, whether the authentication method should be Basic or some other type. Today is brought a JSON with field login availing true or false and in case of success the value of the initial token, but I know that this way of doing is inadequate.

  2. The second question is a broader version of the first: in the scenario of an API used only by mobile devices that save the user from login and password typing, what form of authentication to use? Should we continue adopting tokens? Or send login/password to each request instead? There is talk of Oauth with Bearer; Would that be the preferable way? I’m mixing concepts?

* "REST" in a way probably considered "shameless"; I don’t know much about what is called "pure REST" and moreover the API is read-only, so I have no concern with idempotency or changing server status consistently.

2 answers

2

Like Abraham, I also believe that currently the most used method for authentication in mobile applications is with pre-registered accounts on the devices (read use of Social Media accounts or the account set up on the device [Google Play]). I am particularly using the Android authentication scheme that Google offers, using Oauth2 in conjunction with Google Account and Google Play Services.

However, I know this does not answer your question. However, I believe that the following links, will surely, answer your questions: https://developer.android.com/google/auth/http-auth.html https://developers.google.com/identity/sign-in/

I hope I could be of some help. Good luck!

1

Answering the second question, but the first one can take as a basis. I believe, that today the most common methods of authentication, is to use a google authentication API, facebook, or some other known API(ai will depend on your target audience), both for mobile devices and for websites.

  • These Apis not aimed at authenticating the Google/Facebook/Twitter/etc.? In my case it is a separate user base and I have no interest to link these users to their accounts in these other databases.

  • That’s why I answered the second question that you defined more broadly. Using the google api in an android app the user will not need to enter login and password ever. Already in your specific case I don’t know how best you do the authentication. I would think the same way you mentioned sending encrypted login and password to authenticate, but that the user would only type once, and it gets saved in a file or in the BD for the next authentication.

  • Got it. But the Google API only validates Google accounts, am I right? Because if so, I will have to change the question to make it clear that the user base should have nothing to do with Google (the question has the [tag:android] because there are more people following this tag than the [tag:mobile]). The question I wanted to ask is more general but not so general.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.