Authentication question

[mozvat]

I do not see anything that walks someone through authentication. I understand the steps but even your sample code does not perform an authentication it just calls the endpoint.

[esear]

I have a couple thoughts on authentication; and this seems as good a place as any to express these thoughts. I think it makes a little more sense to put the fields necessary for authentication within request headers, instead of query strings in the URL. I think maybe it's just a style preference, but I would rather see the URL as the resource and elements needed to describe it. We could create a custom header field that contains both the key as well as the hashed signature. For example: MWS [key]:[hashed signature]

The same approach could be taken with the time stamp. timestamp:[epoch timestamp]

[esear]

I think one trade-off for using custom header fields, is the ability to use generic REST clients like 'Postman" or "Dev HTTP Client" These are Chrome plugin test clients - search for them at the chrome store.

[esear]

Note, I sent sample code to the architecture team (Mon 3/11/2013 9:41 AM) using a similar approach for creating the signature and signing the requests.

[sempf]

Headers work great for this too - that's how American and FedEx both do their two-legged auth.