Controlling access to my API using SSH public key (not SSL)

Posted by tharrison on Server Fault See other posts from Server Fault or by tharrison
Published on 2012-05-01T15:42:24Z Indexed on 2012/06/21 9:18 UTC
Read the original article Hit count: 178

Filed under:
|
|
|

I have the challenge of implementing an API to be consumed by relatively non-technical clients -- pasting some sample code into their WordPress or homegrown PHP site is probably as much as we can ask. Asking them to install SSL on their servers ain't happening. So I am seeking a simple yet secure way to authenticate API clients.

OAuth is the obvious solution, but I don't think it passes the "simple" test.

Adding a client id and hashed secret as a parameter to the requests is closer -- it's not hard to do md5($secret . $client_id) or whatever the php would be.

It seems to me that if client requests could use the same approach as SSH public keys (client gives us a key from their server(s) there should be some existing magic to make all of the subsequent transactions transparently work just as regular HTTP API requests.

I am still working this out (obviously :-), so if I am being an idiot, it would be nice to know why.

Thanks!

© Server Fault or respective owner

Related posts about ssl

Related posts about http