[eluser]yacman[/eluser]
Greg,
I would take a look at other APIs out there that have been created by companies like Google and Microsoft, and see how their authentication patterns work. This can serve as a template.
About 5 years ago everyone was about using sets of keys to enable a permanent API connection between server and client. Today, most API services use Sessions to generate new keys whenever a client wishes to use the API. These keys are associated with a user one time, then expire after a set period so it can be re-used.
You'd want to have a Token which represents your client, and then a session token which is validated on every call.
You can easily overload the RestController methods to implement session based connections. (Look at where it validates the Key).
The next thing you want is to hook up generating an API key whenever a user is created. This is their Client Key.
When a client wishes to connect via the API, their application must:
Call and fetch a session ID using their Client Key and a Client password.
This is authenticated, and a Session ID is generated and returned to the client.
Session IDs and client IDs should be passed via http headers.
On successive calls, the Client includes both their client Key and Session Key. These values must be checked on every request to the API to associate who, and if they currently have access.
Also take a look at the RestController's security implementation on Key Levels. These can help you protect specific methods.
Look at what's out there though, security patterns are changing all the time.
