Controlling access to my API using SSH public key (not SSL)
Posted
by
tharrison
on Server Fault
See other posts from Server Fault
or by tharrison
Published on 2012-05-01T15:42:24Z
Indexed on
2012/06/21
9:18 UTC
Read the original article
Hit count: 178
I have the challenge of implementing an API to be consumed by relatively non-technical clients -- pasting some sample code into their WordPress or homegrown PHP site is probably as much as we can ask. Asking them to install SSL on their servers ain't happening. So I am seeking a simple yet secure way to authenticate API clients.
OAuth is the obvious solution, but I don't think it passes the "simple" test.
Adding a client id and hashed secret as a parameter to the requests is closer -- it's not hard to do md5($secret . $client_id)
or whatever the php would be.
It seems to me that if client requests could use the same approach as SSH public keys (client gives us a key from their server(s) there should be some existing magic to make all of the subsequent transactions transparently work just as regular HTTP API requests.
I am still working this out (obviously :-), so if I am being an idiot, it would be nice to know why.
Thanks!
© Server Fault or respective owner