Pros:
- Shared login without giving out your password. (Not our problem)
- "State-ful" security without cookies or HTTPS (sort-of)
- Ability to de-authorize
Cons:
- Super complicated signing algorithm (difficult for client to sign)
Users: Twitter, Flickr, LinkedIn
Pros:
- Simpler way to accomplish authentication (bearer tokens, not signing)
- Additional options for securing things (may also use signing, etc.)
- Can also de-authorize clients (not super helpful for us)
Cons:
- HTTPS needed for security with bearer tokens
- Shorter lived authentication required, because of lower security threshhold
- No standard implementation. Each provider makes up their own rules.
Users: Google, Facebook, etc.
Pros:
- Simple
- Secure
- SessionId could be stored in localStorage instead of cookies
Cons:
- HTTPS adds latency
- HTTPS adds overhead for servers
- Cookies can still get hijacked if your domain is only part HTTPS
Users: Facebook (non-API), Google (non-API), everyone else…..
Pros;
- Simple
- Secure
Cons:
- We need to store password on the client
- We need to authenticate on every request
Users: github, gowalla, others
- http://www.quora.com/What-are-the-best-practices-to-secure-an-internal-REST-API-in-the-cloud
- http://blog.apigee.com/detail/oauth_20_don_t_throw_the_baby_out_with_the_bathwater_webcast_qa
- http://www.quora.com/OAuth-2-0/How-does-OAuth-2-0-work
- http://stackoverflow.com/questions/4113934/how-is-oauth-2-different-from-oauth-1http://architects.dzone.com/articles/2-legged-oauth-oauth-10-and-20
- http://stackoverflow.com/questions/4968009/api-design-http-basic-authentication-vs-api-token
- http://stackoverflow.com/questions/5511589/securing-an-api-ssl-http-basic-authentication-vs-signature
- http://developer.github.com/v3/