This repository has been archived by the owner on Feb 19, 2019. It is now read-only.
Secure REST APIs #1
Comments
|
I recommend using a standard way to sign requests, e.g. https://github.com/hueniverse/hawk |
|
Great idea! There is no Python port yet. @peterbe thoughts? |
|
BASIC Auth could work very well, to unblock shipping. We've also got a PyHawk library going that supports Client, Server, and Bewit APIs. |
|
For a 1.0 we're going with basic auth instead. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Mozilla websites which consume the MozLDAP web services should do so in a secure manner.
They should be done of https
They should sign their requests
MozLDAP should verify request signatures, before servicing a request.
Each webapp would have to register the following:
(I need to play with the real APIs more, bear with me)
If the signature is valid, continue servicing the request. Otherwise respond with a 401 or other relevant HTTP code.
Benefits - Operations can lock down who can use mozLDAP. They can change secret AppIDs and Secret keys as needed.
(Updated: removed my original proposal as HAWK is a better idea)
The text was updated successfully, but these errors were encountered: