API Security Practices.
Date: 03/11/06
(PHP Development) Keywords: php, security
For the past 2-3 days I have been playing with the flickr API using REST, via PHP. This has gotten me thinking about an API that the company I work for wants to create for connecting to our services. Part of that API will require some kind of security token for an external application to access our API methods. I have never done anything like this so I am not quite sure where to start.
Looking at flickr as an example.
Flicker has an authentication URL. This URL contains a query string with an api_key, perms(ie permissions), and an api_sig. The sig is a combination of these 2 query strings and a "secret". in this format. secret+"api_key"+yourApiKey+"perms"+requestedPermissionType which is then turned into an md5 sum. The secret is given to you when you place a request for an API key with flickr
When you pass this information to their authentication application, it returns a "frob" key Which you can then use to get a token for the user that is using your application.
I don't know if I need to go quite as far as using a frob and getting a token for my companies's application, as our application doesn't allow other people tp use our users, but more or less they have their own users and we just manipulate data between us.
Ideas? Suggeston? Comments? Links?
TIA
Source: http://community.livejournal.com/php_dev/66628.html