OPeNDAP authentication

I just read this interesting article about authentication and APIs. The author recommends not using HTTP Basic authentication for APIs, since it can be easily eavesdropped, and suggests that if you want to use HTTP instead of HTTPS there's a good compromise between security and implementation called HMAC-SHA:

"Essentially the request is hashed with as shared secret as a key, a nice side effect of this is you can add in the time of the request as a parameter, thereby sending a different signature each time, making it possible to expire keys, and prevent replay attacks."

Lately I've been thinking again about authentication for OPeNDAP clients, and how would it be possible to secure access to private datasets at Marinexplore. One problem here is that there are many different implementations of OPeNDAP clients (like R, Matlab, or Ferret), over which we have no control. These applications use libraries like libdap to handle the connection, and usually the only way of authenticating is by adding the credentials to the URL in the form http://{username}:{password}@example.com/dataset.

There are two reasons why I don't like this solution. First, if the server supports only HTTP Basic the credentials will be sent unencrypted without any warning, and the only way to know if HTTP Digest is supported is by checking the server headers -- not something most users would do. But more importantly, since we don't know the user's password it's not possible to display a URL that can be copied and pasted for OPeNDAP access. Instead, we need to show the URL and instruct the user to insert his password, which he likely forgot.

The solution we use is to create for each user an OPeNDAP token that is included in the dataset URL path. This allows the URL to be copied and pasted, and allows the URL to be shared between users. And if the URL falls into wrong hands it's possible to revoke the OPeNDAP token and get a new one. An important detail is that the token has to be in the URL path, not in the query string, since you can not specify additional parameters in the URL in most clients (Pydap is an exception).

Reading the HMAC-SHA authentication article I wondered if we could use it for our datasets, by creating the signatures on the website with a long expiration for the timestamps. But HMAC-SHA also has the problem that it requires additional arguments to be added to the query string, so it doesn't work with most of the available clients.