im not sure of which way to take with a REST API im currently developing using CakePHP, i haven't implemented authentication and until now that im almost done with it i'm reading about it,
but i'm not sure of what should i do, this API would be exposed so that a webpage and a mobile app can consume it, but i dont think Basic auth or Digest auth (which come as default options in CakePHP) are the option,
i only know that i need it to check username and password from the database, and grant permission according to an ACL that is already set up, i was reading something about HMAC but dont understand it completely, should i make an authentication method on my own that does something like check a token? is this article correct? : http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
and if so, how do i implement those principles to the CakePHP auth method? is there a plugin for this auth method using HMAC?
should i use OAuth 2.0? does it make sense to use OAuth 2.0 for a username & password login? am i too lost? if im not so lost, could you please describe how to implement OAuth with username and password in cakephp?
someone, please, anyone surfing this interweb forum, HELP ME. if you could provide examples or workflows, anything, everything will be greatly appreciated.
How much security do you need? As an API is usually accessed from a client app which has the keys, it's usually OK to send the credentials along with every (https) request (as POST parameters, so they'll be encrypted). At least, this is by far the easiest solution: You just check the credentials with every request, without any sessions, tokens and the like. If the credentials are valid, you check whether that now authenticated 'user' is authorized to access the requested resource(s).
Remember that more advanced authentication/authorization methods quickly become complex in development and management. If you don't have any experience in implementing such systems, it's rather likely you're obsoleting the possible security gain with implementation bugs/issues.