| I really wish this topic got discussed more because there don't seem to be a lot of great options. I personally use an OAuth 2 library using the "Resource Owner Password Credentials Grant" which is where you POST a username and password, and you get back a session token. OAuth 2 has a few other types of grant flows but they don't make as much sense for REST only APIs. The downside of this password grant flow is that anyone can create a client to work against your API, and potentially they can steal passwords in a man-in-the-middle fashion. One way to prevent this is to give your "trusted clients" a secret token, and then verify that token before issuing a session. However you can't hide a secret in browser-side JavaScript and even mobile apps can be be decompiled, so this isn't perfect either. Some devices provide a hardware enclave to store your secrets in, but most don't. Another weakness is that if your SSL breaks, then you're essentially sending the passwords in clear text over the wire. Another commenter mentioned HMAC encryption of the password which might help. That this isn't recommended by oauth is concerning. It's not the best standard and password grant is its weakest form. [Edit: now that I think about it, HMAC requires having another shared secret between your API and your client. Storing secrets on the client is difficult, as discussed in the previous paragraph] JWT seems new and not too widely used but worth looking into. It has its own downsides like some difficulty with revoking sessions from the server side, but there are workarounds for this. I wish there was an industry standard answer that was secure and we could all be happy with but there doesn't seem to be much interest in the topic, going by how rarely it gets discussed. Best of luck! |