Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS IOS to Web Service API Authentication

R

r0r0

macrumors newbie
Original poster
Jun 1, 2014
4
0
Hello,

If we were building an iPhone APP that would connect to a Web Service API, how would the authentication process work.


We have a clientside API that provides all the functions for our clients. The API we have currently uses [client_id] & [api_key] to authenticate access, so how would we authenticate users with in a IOS login form who only provide us their username/passwords? Would we have force them to provide us API keys? Any suggestions?

Thank you
 
Who are you trying to authenticate? The client app itself, the developer of the client app, or the user of the client app?
 
I appreciate taking the time to reply,

This would be trying to authenticate the user of the client app itself. My confusion is the the restful API requires a userid and api key to authenicate. In most cases users of the client app typically provide a username and password, and not api keys. How would one bridge this gap.
 
r0r0 said:
I appreciate taking the time to reply,

This would be trying to authenticate the user of the client app itself. My confusion is the the restful API requires a userid and api key to authenicate. In most cases users of the client app typically provide a username and password, and not api keys. How would one bridge this gap.
Click to expand...

The API Key should be hardcoded into the app and authenticates the app. The username and password are used to authenticate the user and should be provided by the user.
 
I'm assuming your logging into the website via an HTTP request? Typically you have the API built into the app saved as a string. So when you send your login request it's typically

This is a simple example
"http://api.website.com/user.login/<APIKEY>/<UserName/Email>/<Password>"

This example is dependent on how your backend/API is set up.

Have your app check the whether the user/pass combo is correct and if it is, save the session token into the keychain.
 
Dookieman said:
I'm assuming your logging into the website via an HTTP request? Typically you have the API built into the app saved as a string. So when you send your login request it's typically

This is a simple example
"http://api.website.com/user.login/<APIKEY>/<UserName/Email>/<Password>"

This example is dependent on how your backend/API is set up. <UserName/Email>/<Password>"

Have your app check the whether the user/pass combo is correct and if it is, save the session token into the keychain.
Click to expand...

Thanks guys,

Correct its trying to connect to our web app via HTTP request. I'm only concerned about passing the username/password via plaintext from the mobile app to the API. Wouldn't it be easy to sniff or wireshark the login credentials on a public network? If so, then malicious users would have access to a lot of the clients data which we hold on our web app.
 
r0r0 said:
Thanks guys,

Correct its trying to connect to our web app via HTTP request. I'm only concerned about passing the username/password via plaintext from the mobile app to the API. Wouldn't it be easy to sniff or wireshark the login credentials on a public network? If so, then malicious users would have access to a lot of the clients data which we hold on our web app.
Click to expand...

Then use HTTPS instead of HTTP. It was invented to solve problems just like this.
 
Also, make sure to use POST not GET to authenticate users. If you use GET the password will be passed in cleartext. If you use POST over https the credentials will be encrypted.

Also, the way this usually done is to have a web authentication API that takes the user credentials and returns a token. The token is then passed in all other APIs in the Authorize header.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back