I am writing mobile client for online store. I have written REST API for accessing data on the server. Now I need to authentificate the user.
I have read a lot about this,and came to the simple solution.
Firstly, when user run application first time, he must enter exactly password and login from online store account. In this case password somehow sent to the server and being checked, after that user gets response.
If everything is OK user receives access toke that can be used in the future to access private data. If not, get simple forbid message.
I have some questions here :
What the best way to send password and login for the first time, to get access token. Encrypt password with some algorithm and than send it over simple HTTP or establish HTTPS session and simply use this channel to transfer data over the net. In this case password don't have to be encrypted, use public/private keys provided by HTTPS ?
Is it okey to send this request as POST method over HTTPS, for example using next URL /api/v0/store/auth ? Or it is better to do this another way.
In all cases where HTTPS is used I need self-signed certificate ?
I would be grateful for any help. Thanks in advance.
1 - it is not true that passwords don't have to be encrypted on HTTPS. The best approach would be your server encrypting the plain password just received and then try to authenticate the user, generating a token. This token should only last during this connection.
2 - yes, post method is okay for authentication.
3 - you may use self-signed certificates but if you do the client will probably trigger an alert because it won't recognize your certificate. The correct way should be aquiring a SSL certificate from an authorized provider like VeriSign and others.