Basic Authentication (REST)

Hi Folks,

I’m sure you’ve been asked this before (I just can’t find any mention
of it) but…

…are there plans to move away from HTTP basic authentication for the
REST service (see http://www.freeagent.com/developers/freeagent-api)?
I’m a little uncomfortable sending my details as plain text.

Cheers,
Toby

Great.

Thanks for the tip RE the new API. I’ll check it out and am already
liking the json support :)On Jan 3, 5:02 pm, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

The wikipedia page you link to has the line:

“Although the scheme (HTTP Basic Authentication) is easily
implemented, it relies on the assumption that the connection between
the client and server computers is secure and can be trusted.
Specifically, if SSL/TLS is not used, then the credentials are passed
as plaintext and could be intercepted.”

As I said before you can only access the FreeAgent API (either
version) over HTTPS (also known as SSL or TLS) so the use of HTTP
Basic Authentication in this case is secure (not withstanding any bugs
which exist with various versions of SSL).

For your killer app, I’d recommend coding it for v2 of the APIhttps://staging.dev.freeagent.com/docsif you’re not planning to
launch it in the next couple of weeks. Do let us know what you’re
working on - we’re always curious!

Kind regards,

Graeme

On 3 January 2012 16:25, Toby toby.wes...@gmail.com wrote:

Hi,

Thanks for the note, from the docs I thought it was HTTP basic
authentication (as inhttp://en.wikipedia.org/wiki/Basic_access_authentication)
so although the connection is made over HTTPS, the initial handshake
requires plain text credentials.

Thanks for clearing it up, I’ll get cracking on my killer app now!

Cheers,
Toby

On Jan 3, 12:50 pm, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

Access to the FreeAgent API is always made over HTTPS so your login
details not sent in plain text. This makes the API as secure as the
web app.

Version 2 of our API is currently in beta and uses OAuth 2.0 for
client authentication which means in future users will not have to
share their login details with third party apps. Again, all
communication will be made over HTTPS. I hope this answers your
question.

Kind regards,

Graeme

On 3 January 2012 12:34, Toby toby.wes...@gmail.com wrote:

Hi Folks,

I’m sure you’ve been asked this before (I just can’t find any mention
of it) but…

…are there plans to move away from HTTP basic authentication for the
REST service (seehttp://www.freeagent.com/developers/freeagent-api)?
I’m a little uncomfortable sending my details as plain text.

Cheers,
Toby


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group athttp://groups.google.com/group/freeagent_api?hl=en.


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group athttp://groups.google.com/group/freeagent_api?hl=en.


Graeme Boyd
Senior Software Engineer
FreeAgent Central Ltd
40 Torphichen Street, Edinburgh EH3 8JB
Registered in Scotland SC316774

Hi Toby,

The wikipedia page you link to has the line:

“Although the scheme (HTTP Basic Authentication) is easily
implemented, it relies on the assumption that the connection between
the client and server computers is secure and can be trusted.
Specifically, if SSL/TLS is not used, then the credentials are passed
as plaintext and could be intercepted.”

As I said before you can only access the FreeAgent API (either
version) over HTTPS (also known as SSL or TLS) so the use of HTTP
Basic Authentication in this case is secure (not withstanding any bugs
which exist with various versions of SSL).

For your killer app, I’d recommend coding it for v2 of the API
https://staging.dev.freeagent.com/docs if you’re not planning to
launch it in the next couple of weeks. Do let us know what you’re
working on - we’re always curious!

Kind regards,

GraemeOn 3 January 2012 16:25, Toby toby.weston@gmail.com wrote:

Hi,

Thanks for the note, from the docs I thought it was HTTP basic
authentication (as in http://en.wikipedia.org/wiki/Basic_access_authentication)
so although the connection is made over HTTPS, the initial handshake
requires plain text credentials.

Thanks for clearing it up, I’ll get cracking on my killer app now!

Cheers,
Toby

On Jan 3, 12:50 pm, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

Access to the FreeAgent API is always made over HTTPS so your login
details not sent in plain text. This makes the API as secure as the
web app.

Version 2 of our API is currently in beta and uses OAuth 2.0 for
client authentication which means in future users will not have to
share their login details with third party apps. Again, all
communication will be made over HTTPS. I hope this answers your
question.

Kind regards,

Graeme

On 3 January 2012 12:34, Toby toby.wes...@gmail.com wrote:

Hi Folks,

I’m sure you’ve been asked this before (I just can’t find any mention
of it) but…

…are there plans to move away from HTTP basic authentication for the
REST service (seehttp://www.freeagent.com/developers/freeagent-api)?
I’m a little uncomfortable sending my details as plain text.

Cheers,
Toby


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group athttp://groups.google.com/group/freeagent_api?hl=en.


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/freeagent_api?hl=en.

Graeme Boyd
Senior Software Engineer
FreeAgent Central Ltd
40 Torphichen Street, Edinburgh EH3 8JB
Registered in Scotland SC316774

Hi Toby,

Access to the FreeAgent API is always made over HTTPS so your login
details not sent in plain text. This makes the API as secure as the
web app.

Version 2 of our API is currently in beta and uses OAuth 2.0 for
client authentication which means in future users will not have to
share their login details with third party apps. Again, all
communication will be made over HTTPS. I hope this answers your
question.

Kind regards,

GraemeOn 3 January 2012 12:34, Toby toby.weston@gmail.com wrote:

Hi Folks,

I’m sure you’ve been asked this before (I just can’t find any mention
of it) but…

…are there plans to move away from HTTP basic authentication for the
REST service (see http://www.freeagent.com/developers/freeagent-api)?
I’m a little uncomfortable sending my details as plain text.

Cheers,
Toby


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/freeagent_api?hl=en.

Hi,

Thanks for the note, from the docs I thought it was HTTP basic
authentication (as in http://en.wikipedia.org/wiki/Basic_access_authentication)
so although the connection is made over HTTPS, the initial handshake
requires plain text credentials.

Thanks for clearing it up, I’ll get cracking on my killer app now!

Cheers,
TobyOn Jan 3, 12:50 pm, Graeme Boyd graeme.b...@freeagent.com wrote:

Hi Toby,

Access to the FreeAgent API is always made over HTTPS so your login
details not sent in plain text. This makes the API as secure as the
web app.

Version 2 of our API is currently in beta and uses OAuth 2.0 for
client authentication which means in future users will not have to
share their login details with third party apps. Again, all
communication will be made over HTTPS. I hope this answers your
question.

Kind regards,

Graeme

On 3 January 2012 12:34, Toby toby.wes...@gmail.com wrote:

Hi Folks,

I’m sure you’ve been asked this before (I just can’t find any mention
of it) but…

…are there plans to move away from HTTP basic authentication for the
REST service (seehttp://www.freeagent.com/developers/freeagent-api)?
I’m a little uncomfortable sending my details as plain text.

Cheers,
Toby


You received this message because you are subscribed to the Google Groups “FreeAgent API” group.
To post to this group, send email to freeagent_api@googlegroups.com.
To unsubscribe from this group, send email to freeagent_api+unsubscribe@googlegroups.com.
For more options, visit this group athttp://groups.google.com/group/freeagent_api?hl=en.