c# - Restful Login - proper implementation

Question

New to RESTful services but read a lot on the subject. Implementing in VS2010 C#

Similar (nearly identical) questions have been asked and answered here on stackoverflow, but honestly I learned nothing from the responses.

I want to implement an AuthenticatUser call where a username and password is sent and an authentication key is returned.

Given that this needs to be done with a GET, POST, PUT, OR DELETE, it seems the GET would be most appropriate.

So perhaps GET mydomain/myservice/authenticate/{username}/{password}

I don’t like this because the username and password is passed in the URI, but as I understand it is not a good idea to send a body in a GET. So a POST or PUT would work, but that seems to diverge from the RESTFul philosophy.

Question 1: Is it OK to send sensitive data like password in the URL? The site will use SSL.

Question 2: In GETs when there are multiple parameters being passed, it seems like the URI concept would get a bit crazy, how are complex queries supposed to be handled RESTfully?

Question 3: What is the preferred (normal, most common) method of authentication in a RESTful API?

Answer 1

It is not correct to pass password in url. I have done some research on this. Firstly you should use Basic Authentication over SSL if that is possible. In the Authentication header pass the userid and password. Now as far as rest is concerned the session is not maintained in server. So you need to pass user id and password for every call. It is risky to store the password in the local storage. Hence use a POST call for first time authentication and pass userid and password. Then on return of successful authentication the server returns a tokenkey and tokenvalue. tokenkey and tokenvalue are similar to Amazon private key share initially. From next request onwards send the tokenkey and sign your data using tokenvalue. Pass the tokenkey and signature everytime. On serverend, the server verifies the signature since it has a copy of tokenvalue. tokenkey and tokenvalue can be stored locally if possible encrypted. You cannot use the tokenkey and tokenvalue forever. Hence on each request the server sends a nonce in response. This nonce is stored in database in server end and changes for every request. When you send a request to server include this nonce. The nonce is formed using timestamp. If a request is sent say after 15 mins, the nonce is decrypted and timestamp is found to be more than 15 minutes and hence you redirect him to login page. Formation of Nonce is given in http://www.ietf.org/rfc/rfc2617.txt. Once the nonce is successfully validated this nonce is discarded and and a new nonce is now sent (formed again with latest timestamp). This will also help to prevent replay attack.