Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Best way to generate API key

 
ramesh maredu
Ranch Hand
Posts: 210
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,

Currently we have a web application, we want to extend the same for mobile, so we are planning to use a token to validate users to access API's, what is the best way to do it, I thought of using UUID generated based on user name, is it the right approach, how about using Oauth, could someone suggest.

Thanks,
Ramesh
 
Winston Gutkowski
Bartender
Pie
Posts: 10527
64
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ramesh maredu wrote:Currently we have a web application, we want to extend the same for mobile, so we are planning to use a token to validate users to access API's, what is the best way to do it, I thought of using UUID generated based on user name, is it the right approach, how about using Oauth, could someone suggest.

Well the main token-based security system that I know of is Kerberos (although it's been a while since I was in that line of business). What do you currently use, and why don't you think it would be any good for a mobile? I presume that any user is still going to have to enter a name/password somehow.

Winston
 
ramesh maredu
Ranch Hand
Posts: 210
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Currently we have web application built using struts 2, when user enters his credentials we fetch user information save it in session for further reference. Here cookies are used for session management, to continue using the same without any changes, cookie has to be set in mobile app every time when they invoke struts2 API which returns JSON response.

Well actual idea is to use RESTful API rather invoking web URL directly to get the response in JSON format, so same API can be used by web UI and mobile app, to check for API invoker identity I thought of using API key which is a UUID generated from his username and password.
 
thomas brian
Greenhorn
Posts: 16
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would use a completely random hex code. I would seriously avoid
hashing
the username & password, that leaves all your users vunerable to a
dictionary attack.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic