I am developing an HTTP API for my web application Initially, the primary consumer of the API we are developing an iPhone The app will be, but I'm designing it in the brain in future use (like the mobile app for other platforms). I am trying to determine the best way to authenticate users so that they can access their accounts from iPhone. I have got a design that I think works well, but I am not a security expert, so I thought it would be good to ask for a response.
3 primary goals in user authentication design:
- Good user experience : We want to allow users to enter their identity at once , And stay logged in indefinitely, unless they explicitly log out. I believe Oath if the experience of the iPhone app is terrible, which I have heard (i.e. it launches the entry form in Safari, then the user asks to return to the app if the authentication is successful).
- There is no need to store user credits with the app : I always try to store user passwords in any plain text or to be encrypted simetricly
- Security : We definitely do not need any deep security for a banking app, but I want to be sure to be safe.
Overall, the API is re-printed (i.e. to use the URL as the resources, and the code of the HTTPS method and status code). Each request of the API must include two custom HTTP headers: an API key (unique to each client app) and a unique device ID. All requests for APIs require the use of HTTPS so that the headers and body can be encrypted.
Current strategy:
My plan API_session table is a unique obstacle on its API key and unique device ID in my database (so that only one device Access to the same user account through the app) and also the foreign key in the users' table.
The API will have a login endpoint, which receives the username / password, and if they match the account, the user logs on, then the API key And make an API_assation record for the device ID. The future API requests will be seen by api_session using the API key and device id, and, if any records are found, the request is being logged in under the user account referenced by the API_sion record.
There is also a logout API endpoint, which removes the record from the API_session table.
Does anyone see a clear security hole in this?
I agree with oAuth comments - you can definitely work with IOF on the iPhone well. UX is fully utilizing the mechanism (jQuery) to pull the pin back from the oyoth and use it (without re-typing the PIN in the app) to the UX
1) Displays the web page (in embedded control) 2) User user and password and press The button enters the 3) The OAuth Response page is automatically parsed.
This Twitter OAuth Imamation uses pre-existing Oath Libraries.
However, go back to your original question. It seems to be the only such item that you do not mention, that you need to provide a system on the web app so that the user can lockout / divert the device session (if they have lost their device). Able to
Comments
Post a Comment