The Shared API Team's evolving views on API Authentication and Authorization issues can be found on this page.

Proposal From Discussion on 16 Apr 2014 Call

The Framework should require certain characteristics, such as

  1. Identification of end points (at least server, perhaps client)
  2. Confidentiality of data (eg: SSL)

APIs may implement protocols suitable for their specific bindings so long as they are compliant with the Framework requirements.

Additionally, the Framework may define certain mechanisms as explicitly compliant, such as

  1. Basic auth over HTTPS
  2. Client side certificates via HTTPS
  • No labels