The last couple of days I’ve been thinking of a way to do user authentication for MarkUs’ Web API. This is what I’ve come up so far. Feedback and suggestions are very welcome.
- Instructors and TAs will be able to get a “key” via MarkUs. When an instructor logs in the API key (a SHA2 512 bits in length) is displayed to him on the dashboard. TAs will see the key below the list of the assignments when they log in.
- The goal is that the private key never shows up in a script.
- In order to use this key for authentication from within a script the following steps are required:
- A MD5 hash of the private key has to be generated.
- This MD5 hash will be then encoded using Base 64 and the result will be used as a token and travels over the wire for each request.
- The token, generated as described above, will be sent to the MarkUs server by facilitating the HTTP header “Authorization”. I.e. each request sent to the MarkUs API has to include this header with the appropriate token.
- Since MarkUs knows about the private key and that the token is a Base 64 encoded MD5 digest of the key a matching user can be easily determined and the private key never has to be included in scripts on semi-private servers, where the scripts are run.
I was thinking that the Authorization HTTP header (which is otherwise used for Basic or Digest schemes) could have the following form:
Authorization: MarkusCustom MDk4ZjZiY2Q0NjIxZDM3M2NhZGU0ZTgzMjYyN2I0ZjYK
So far my thoughts. What do you think? Concerns? Am I on the wrong track? Thanks!