I refer to this excellent article http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ which speaks of amazon like security for web service. However I was asked a question in the team of why do we need it if we already use HTTPS. I was unable to answer as it really seems to me they may be right although gut tells me otherwise.
Also is there places when providing REST services where HTTPS may not work? Like 3rd party websites?
If anyone has experience in securing Web Services over the public interwebs please shed some light with your experience.
Thanks in advance.
EDIT: To clarify I am not speaking of user authentication but more of client authentication. The user authentication can be assumed to be plain text over HTTPS+ REST.
My worry is that this still allows anyone to use the web service without my client to access it since everything is plai text although over HTTPS the client end point can still use my web service without the client application.
Best Answer
Why do we need to give Gmail — or any other site with user accounts — our username and password if it's already using HTTPS? The answer is the same as the answer to your question.
HTTPS provides, first and foremost, an encrypted connection between the server and the client.
Unless the server gives each user a certificate, the server can't trust the client without some other method of authentication.