Secure RESTful web service using Symfony2

Question

We are in the process of planning an iOS application in which users will need to be authenticated and authorized before they can interact with data provided by a Symfony2 web service.

Authorization will be implemented with ACLs, it's the authentication I'm not sure about.

From what I found in my research, there are a few ways to achieve the authentication part, but since there won't be any third parties accessing the data it sounds like basic HTTP authentication paired with a SSL certificate is the way to go. Is this correct?

Additionally, is a simple username and password secure enough, or is it better to add some sort of API key for identification?

If a key is needed and considering our users will be part of a group, should a key be bound to every user individually or to the group as a whole?

Finally, and slightly off topic, Symfony2 has FOSRestBundle, is there a defacto REST library for iOS?

Answer 1

For securing REST applications in symfony the FOSOAuthServerBundle is very useful. With it you can implement easy OAuth authentication for your app. OAuth is de facto standard for securing REST web services.

Answer 2

As https/ssl is pretty secure you can go for basic http authentication and/or the api key solution.

Wether to use a key and/or username/password is your personal choice. If somehow requests can be catched in cleartext either one is compromised.

Keys in addition to username/password auth can have the advantage of seperating i.e. user contingents.

Basic http authentication is mostly used, therefore the chance of your client having already available methods to integrate it from his side are high.

You should always give out unique keys or username/passwords to every user in order to be able to log who did exactly what.

I'm not that much into iOS, sorry.