IOS to Web Service API Authentication

Discussion in 'iOS Programming' started by r0r0, Jun 1, 2014.

  1. r0r0 macrumors newbie

    Joined:
    Jun 1, 2014
    #1
    Hello,

    If we were building an iPhone APP that would connect to a Web Service API, how would the authentication process work.


    We have a clientside API that provides all the functions for our clients. The API we have currently uses [client_id] & [api_key] to authenticate access, so how would we authenticate users with in a IOS login form who only provide us their username/passwords? Would we have force them to provide us API keys? Any suggestions?

    Thank you
     
  2. ArtOfWarfare macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #2
    Who are you trying to authenticate? The client app itself, the developer of the client app, or the user of the client app?
     
  3. r0r0 thread starter macrumors newbie

    Joined:
    Jun 1, 2014
    #3
    I appreciate taking the time to reply,

    This would be trying to authenticate the user of the client app itself. My confusion is the the restful API requires a userid and api key to authenicate. In most cases users of the client app typically provide a username and password, and not api keys. How would one bridge this gap.
     
  4. ArtOfWarfare macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #4
    The API Key should be hardcoded into the app and authenticates the app. The username and password are used to authenticate the user and should be provided by the user.
     
  5. Dookieman macrumors 6502

    Joined:
    Oct 12, 2009
    #5
    I'm assuming your logging into the website via an HTTP request? Typically you have the API built into the app saved as a string. So when you send your login request it's typically

    This is a simple example
    "http://api.website.com/user.login/<APIKEY>/<UserName/Email>/<Password>"

    This example is dependent on how your backend/API is set up.

    Have your app check the whether the user/pass combo is correct and if it is, save the session token into the keychain.
     
  6. r0r0 thread starter macrumors newbie

    Joined:
    Jun 1, 2014
    #6
    Thanks guys,

    Correct its trying to connect to our web app via HTTP request. I'm only concerned about passing the username/password via plaintext from the mobile app to the API. Wouldn't it be easy to sniff or wireshark the login credentials on a public network? If so, then malicious users would have access to a lot of the clients data which we hold on our web app.
     
  7. chown33 macrumors 604

    Joined:
    Aug 9, 2009
    #7
    Then use HTTPS instead of HTTP. It was invented to solve problems just like this.
     
  8. r0r0 thread starter macrumors newbie

    Joined:
    Jun 1, 2014
    #8
    Thank you, going to go this route :)
     
  9. PhoneyDeveloper macrumors 68030

    PhoneyDeveloper

    Joined:
    Sep 2, 2008
    #9
    Also, make sure to use POST not GET to authenticate users. If you use GET the password will be passed in cleartext. If you use POST over https the credentials will be encrypted.

    Also, the way this usually done is to have a web authentication API that takes the user credentials and returns a token. The token is then passed in all other APIs in the Authorize header.
     

Share This Page