I wouldn't consider using a UUID as multi-factor authentication. All our API traffic is over https. We use the basic authentication included with django-piston.
Any reason why you want to exchange username and password for an API Key? Why not just authenticate each request with username and password? On Feb 8, 2011, at 5:37 PM, Sean W wrote: > This is a re-post of my stack overflow question here > http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django > > Hi, > > I am in the planning phase a new project. I want to be able to control > multiple relays from my android powered phone over the internet. I need to > use an HTTP based server as a middleman between the phone and the relays. > Django is my preferred platform because Python is my strongest skill set. > This would not be a "web app" (with the exception of the admin interface for > managing the user and their access to the relays). Rather, the server would > simply provide an API in the form of HTTPS requests and JSON encoding. > Though, I should note that I have never done any web development in my life, > so I don't know best practices (yet). The authentication method should meet > the following criteria: > > Works over HTTPS (self-signed SSL) > Provides multi-factor authentication (in the form of something you have and > something you know) > Be reasonably secure (Would be very difficult to fool, guess at. or otherwise > bypass) > Is simple in implementation for the server operator and end user on the > mobile client > Is lightweight in in terms of both CPU cycles and bandwidth > > I plan to use the following scheme to solve this: > > An administrator logs into the web interface, creates a user, and sets up > his/her permissions (including a username and a password chosen by the user). > The user starts the client, selects add server, and enters the server URL and > his/her credentials. > The client attempts to authenticate the the user via HTTP auth (over SSL). If > the authentication was successful, the server will generate an API key in the > form of a UUID and sends it to the client. The client will save this key and > use it in all API calls over HTTPS. HTTP auth is only used for the initial > authentication process prior to reviving a key, as a session scheme would not > be nessessary for this application. Right? The client will only work if the > phone is configured to automatically lock with a PIN or pattern after a short > timeout. The server will only allow one key to be generated per user, unless > an administrator resets the key. Hence, simple, mobile, multifactor > authentication. > Is this sound from a security standpoint? Also, can anyone point me to an > example of how to use the HTTP auth that is built into Django? From a Google > search, I can find a lot of snipits witch hack the feature together. But, > none of them implement HTTP auth in the wayit was added to Django in 1.1. The > official documentation for REMOTE_AUTH can be found here, but I am having > difficulty understanding the documentation as I am very new to Django. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
