Win a copy of Machine Learning Systems: Designs that scale this week in the Scala forum
or Xamarin in Action: Creating native cross-platform mobile apps in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Best way to generate API key  RSS feed

 
Ranch Hand
Posts: 210
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Currently we have a web application, we want to extend the same for mobile, so we are planning to use a token to validate users to access API's, what is the best way to do it, I thought of using UUID generated based on user name, is it the right approach, how about using Oauth, could someone suggest.

Thanks,
Ramesh
 
Bartender
Posts: 10575
66
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

ramesh maredu wrote:Currently we have a web application, we want to extend the same for mobile, so we are planning to use a token to validate users to access API's, what is the best way to do it, I thought of using UUID generated based on user name, is it the right approach, how about using Oauth, could someone suggest.


Well the main token-based security system that I know of is Kerberos (although it's been a while since I was in that line of business). What do you currently use, and why don't you think it would be any good for a mobile? I presume that any user is still going to have to enter a name/password somehow.

Winston
 
ramesh maredu
Ranch Hand
Posts: 210
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Currently we have web application built using struts 2, when user enters his credentials we fetch user information save it in session for further reference. Here cookies are used for session management, to continue using the same without any changes, cookie has to be set in mobile app every time when they invoke struts2 API which returns JSON response.

Well actual idea is to use RESTful API rather invoking web URL directly to get the response in JSON format, so same API can be used by web UI and mobile app, to check for API invoker identity I thought of using API key which is a UUID generated from his username and password.
 
Greenhorn
Posts: 16
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would use a completely random hex code. I would seriously avoid
hashing
the username & password, that leaves all your users vunerable to a
dictionary attack.
 
On top of spaghetti all covered in cheese, there was this tiny ad:
Rocket Oven Kickstarter - from the trailboss
https://coderanch.com/t/695773/Rocket-Oven-Kickstarter-trailboss
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!