I’m currently writing a REST API that uses 2-legged OAuth
(For those who are interested, the web service is here:
Our application servers are currently doing the heavy lifting for
authentication and I figured moving this into the web server would save
us a lot of time on each application server.
The design is to do basic signature checking and facilitate a
configurable timestamp check to forbid requests > T minutes difference
from the server’s clock (in UTC). Optionally, even have it do nonce
checking as well. Although I have to say I’m very scared about playing
with the Nginx memory structures at this point, I’m willing to try if
someone points the way…
However, even if we don’t do nonce checking, the idea would be that
perhaps it’s better for some app servers to do that themselves and know
that if the nonce is unique the request is valid. Even this partial
checking would be a huge time savings to application servers.
I have a basic version of this built and working right now (and yes,
it’s way faster), but still have some work left to go.
I have two questions:
- Is there anything I’m overlooking?
- Would this be interesting to anyone besides us? If there is
deemed to be sufficient interest, we can most likely make it available
to the community.
Posted at Nginx Forum: