[ARIN-consult] Consultation on API Key Handling
John Curran
jcurran at arin.net
Fri Aug 9 09:44:49 EDT 2024
On Aug 8, 2024, at 7:48 PM, Jo Rhett <geek at jorhett.com> wrote:
There's no reason to build something raw and native. There are dozens of robust, well-tested security frameworks for authentication that are implemented by every platform and language already. OAuth 2, JWT, OpenID Connect, ...
Yes, those align with (but are greater than) plaintext headers. Don't go creating a unique model unless none of the well-established, widely used frameworks won't meet the needs.
Jo -
Interesting thoughts - this consultation primarily focuses on whether ARIN should improve key handling for its existing deployed APIs, but you raise some excellent questions.
To be clear, you’re advocating for ARIN to switch its API authentication towards a more common and accepted authentication framework (e.g. OAuth 2) rather than investing in improving the key handling for the existing RESTful API’s? If that’s the case, are you recommending that the existing support for key-based API authentication be deprecated, or simply maintained as-is?
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20240809/d205a367/attachment-0001.htm>
More information about the ARIN-consult
mailing list