Monday, August 24, 2009

RESTful authentication, some more thinking

Unfortunately, I haven't had too much time to dedicate to this but have had a few discussions and a bit more time to think about it.

It seems to me that form-based auth for RESTful web services should be forbidden. There are clear standards on how to deal with authentication programmatically over HTTP: basic, digest, OAuth. Since the cost to implement basic-auth and utilize https is relatively small, it seems that adding more options (beyond basic, digest and oauth) will only further compound interoperability issues with client consumers.

More discussions and research should be done, though my current thinking would only be to add a statement to the OSLC-CM 1.0 specs stating that form-based auth is NOT recommended.