You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

The Shared API Team's evolving views on API Authentication and Authorization issues can be found on this page.

The Framework document contains the following statement: "All REST API calls MUST take place over HTTPS. Defined mechanisms MUST be in place to establish trust in the underlying keys."

Proposal From Discussion on 16 Apr 2014 Call

The Framework should require certain characteristics, such as

  1. Identification of end points (at least server, perhaps client)
  2. Confidentiality of data (eg: SSL)

APIs may implement protocols suitable for their specific bindings so long as they are compliant with the Framework requirements.

Additionally, the Framework may define certain mechanisms as explicitly compliant, such as

  1. Basic auth over HTTPS
  2. Client side certificates via HTTPS
  • No labels