Solutions to web service client certificates/auth best practices

Question

I have a simple web service that has an API third party developers are allowed to access. The API mostly follows REST principles.

I'm interested in solutions to make the API more secure by requiring developers to use client certificates. Is there any open source solutions or other implementation advice any of you have that would assist in REST based APIs using user level certificates for auth?

Answer 1

My generic advice would be to keep your API separate from your authentication routines. Your web server should handle the interaction for you.

Solutions for your side of the client-certificate scenario are dependent on your environment. You haven't posted that here, but it seems a targeted Google search should give you an idea of what's necessary.

Since you're providing an API to other parties, you do have some consideration regarding environment support for those developers. You're doing well with a REST basis, and most programming environments are going to interoperate with those rather well.

Client certificate support is likely going vary in terms of support efficiency across environments, platforms, etc. Additionally, you're now affecting client-side implementation when you require certificates. This will almost certainly put you in a position of requiring you to support your customers and get them up and running with your API. That means familiarity with other languages, web servers, frameworks, etc.

Answer 2

The Python HTTP library supports client certificates, as does the urllib library that sits on top of it.