Saturday, December 1, 2007

OAuth for API Authentication

I've defined a number of API's in my time and always seem to resort to a different kind of authentication mechanism and my latest API was likely to be no different. I looked at Flickr, Google and Amazon API's and how they did authentication and they all uses customer MD5 and/or HMAC-SHA-1 hashing with a private key with different parts of the query being hashed.

I thought, there should be a standards around this ... i had looked at OAuth but from an API veiwpoint never really made the connection. Until today! I am looking at a C# implementation by Eran Hammer and i see there is some work on it, but I need to do some more research to find out what i need to provide on top of this to actually implement it (i.e. client and server requirements).

I hope to learn more about what i need to do to just use this in my API and in particular how i may integrate the authentication in an AJAX client application without redirecting to the site.

No comments: