I'm building a non-browser client-server (XULRunner-CherryPy) application using HTTP for communication. The area I'm pondering now is user authentication. Since I don't have substantial knowledge in security I would much prefer using tried-and-tested approaches and ready-made libraries over trying to invent and/or build something myself.
I've been reading a lot of articles lately and I can say all I have been left with is a lot of frustration, most of which contributed by this and this blog posts.
What I think I need is:
So the question is: what are the modern (headache-free preferrably) techniques and/or libraries that implement this? (No sensitive information, like credit card numbers, will be stored).
I've been looking at OAuth and they have a new revision which they strongly recommend to use. The problem is the docs are still in development and there are no libraries implementing the new revision (?).
After a lot of poking around and trying to write my own prototype based on Amazon S3 design which (I thought) was pretty secure, I found this excellent website which has answers to all my questions, an Enterprise Security API Toolkit, and much, much more: OWASP.