Authentication Scheme for REST

  • Luigi Lo Iacono
  • Hoai Viet Nguyen
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 523)


REST has been established as an architectural style for designing distributed hypermedia systems. With an increased adoption in Cloud and Service-oriented Computing, REST is confronted with requirements not having been central to it so far. Most often the protection of REST-based service systems is, e.g., solely ensured by transport-oriented security. For mission-critical enterprise applications securing data in transit only, is, however, not a sufficient safeguard. This introduces a vital demand for REST Security, which is currently an active research and development topic, focusing on one specific instantiation of REST merely, though, namely on HTTP.

This paper augments REST by an authentication scheme, while remaining on the same level of abstraction as the architectural style itself. The introduced authentication scheme for REST is then mapped to HTTP. Based on this concrete instantiation, an empirical study is conducted in order to analyse the current state of the art in authentication techniques for REST-ful HTTP. The developed scheme and its HTTP instantiation in particular offer a methodical framework for assessing and comparing the available work, which shows to be incompatible and incomplete in terms of the provided protection. Moreover, this generic authentication scheme can be used to deduce other concrete means related to existing and upcoming technologies for implementing REST-based systems.


REST REST security Authentication 


  1. 1.
    Authentication for the Azure Storage Services (2014).
  2. 2.
    HP Helion Public Cloud Object Storage API Specification (2014).
  3. 3.
    Migrating from Amazon S3 to Google Cloud Storage (2014).
  4. 4.
    Signing AWS Requests By Using Signature Version 4 (2014).
  5. 5.
    The Heartbleed Bug (2014).
  6. 6.
    Berners-Lee, T., Fielding, R., Masinter, L.: Uniform Resource Identifier (URI): Generic Syntax. RFC 3986, IETF (2005).
  7. 7.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.Y.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: 35th IEEE Symposium on Security and Privacy (S&P) (2014)Google Scholar
  8. 8.
    Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., Yergeau, F.: Extensible Markup Language (XML) 1.0, 5th edn. Recommendation, W3C (2008).
  9. 9.
    Cavage, M., Sporny, M.: Signing HTTP Messages. Internet-draft, IETF (2014).
  10. 10.
    Crockford, D.: The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627, IETF (2006).
  11. 11.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (2008).
  12. 12.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616, IETF (1999).
  13. 13.
    Fielding, R.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000). fielding/pubs/dissertation/top.htm
  14. 14.
    Fielding, R.: REST APIs must be hypertext-driven (2008).
  15. 15.
    Gorski, P., Lo Iacono, L., Nguyen, H.V., Torkian, D.B.: Service security revisited. In: 11th IEEE International Conference on Services Computing (SCC) (2014)Google Scholar
  16. 16.
    Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.J., Nielsen, H.F., Karmarkar, A., Lafon, Y.: SOAP Version 1.2 Part 1: Messaging Framework, 2nd edn. W3C Recommendation, W3C (2007).
  17. 17.
    Hammer-Lahav, E.: The OAuth 1.0 Protocol. RFC 5849, IETF (2010).
  18. 18.
    Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749, IETF (2012).
  19. 19.
    Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S.: HTML5 - A vocabulary and associated APIs for HTML and XHTML. Recommendation, W3C (2014).
  20. 20.
    IETF JOSE Working Group: Javascript Object Signing and Encryption (JOSE) (2014).
  21. 21.
    Jones, M.: JSON Web Algorithms (JWA). Internet-draft, IETF (2015).
  22. 22.
    Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). Internet-draft, IETF (2015).
  23. 23.
    Josefsson, S.: The Base16, Base32, and Base64 Data Encodings. RFC 4648, IETF (2006).
  24. 24.
    Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., Tews, E.: Revisiting SSL/TLS implementations: new bleichenbacher side channels and attacks. In: 23rd USENIX Security Symposium (USENIX Security) (2014)Google Scholar
  25. 25.
    Richer, J., Bradley, J., Tschofenig, H.: A Method for Signing an HTTP Requests for OAuth. Internet-Draft, IETF (2014).
  26. 26.
    Richer, J., Mills, W., Tschofenig, H.: OAuth 2.0 Message Authentication Code (MAC) Tokens. Internet-Draft, IETF (2014).
  27. 27.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: OpenID Connect Core 1.0. Specification, OpenID Foundation (2014).
  28. 28.
    Serme, G., De Oliveira, A.S., Massiera, Julien, R.Y.: Enabling message security for RESTful services. In: 19th IEEE International Conference on Web Services (ICWS) (2012)Google Scholar
  29. 29.
    Shelby, Z., Hartke, K., Borman, C.: The Constrained Application Protocol (CoAP). RFC, IETF (2014).
  30. 30.
    W3C: XML Security Working Group (2013).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Cologne University of Applied SciencesCologneGermany

Personalised recommendations