Restful web service authentication

Question

I have a Restful web service API, that is being used by different 3rd parties. Part of that API is restricted (you need username/password to access it). I was wondering what wou

Answer 1

There's no reason to not just use HTTP authentication here.

That said, the concept of POSTing to get a time block nonce can work well. But it's the motivations as to why you would need to jump through that extra hoop in the first place.

This technique was considered when using a bcrypt hash for the original password, because of the actual expense of validating a user (if you don't know, bcrypt can be tuned to take significant real time to perform the hash function). The choice was made to provide the option to have the service "log in" once using the password that would go through the expensive validation process via bcrypt, and would then get a time blocked token in return for future requests that would bypass the bcrypt process.

In the case of the bcrypt process, use HTTP Authentication, the service would work with both the normal password as well as with the token. That way the user could always use the password for their service, but it just becomes expensive. So they CAN do this, they just SHOULDN'T. The service doesn't care which authentication technique the client uses.

The nonce service is offered as an aside to improve throughput.

Other than that, it's standard HTTP authentication, but with a new scheme.