I'm building a REST api using PHP 5.4 and I'm putting in my own custom auth library. I'm closely following the format that 2-legged OAUTH uses. (ref: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
Following this spec I have several pieces of metadata that need to be sent with each request so that I can securely authenticate the user.
- AppId -> This is to verify who is sending the request. Also to know which secret key to use to generate the HMAC checksum server side.
- Timestamp -> This is to deal with replay attacks.
- Checksum -> This is a HMAC hash to make sure the request wasn't tampered with.
- AccessToken -> Would be used with every request after the initial authentication.
I was just wondering what would be the best practice for sending all this metadata?
I was thinking of creating custom headers and sending this stuff in there. This way I could separate this data from the actual parameters the function needs, but I'm not sure that's the best practice.
Ex: MY-API-APP-ID: 243242, MY-API-TIMESTAMP: 123123123 etc...
Or
Should all these things just be passed as parameters with every request?
What about GET methods, should they just be placed in the query string? (?timestamp=12312312&appId=123123...)
Thanks!