I am writing to seek some advice, on which method to use for building user authentication between to web service. Methods; Hash, Token, AOuth.
client A, would send user credentials to client B’s login page(classic asp), and then client B, would authenticate the users against their database system and if the user authenticated, Client B would redirect the response back of the user’s credentials back to Client A.
I am assuming Client A would be sending the user credentials through some kind of web-service.
I am little unsure, which would be approach to choose for creating a secure pass for user credentials between two clients.
Whichever you pick, if they are sending this information over the internet, i.e., not in some private network, I would make sure the two servers are connecting using SSL [1], to make eavesdropping harder.
As for the security methods, tokens are the least secure if your suggestions. If a hacker ever gets his hands on a token they can send that along with any request they can think of and the receiving party will just do what was asked.
Hashes are a little bit better, because a hacker can not just get a hash from any request and form their own request. They would have to see a lot of requests to be able to make a guess what the shared secret is . Of course here you should make sure that the shared secret is strong (lots of characters, no dictionary words, etc), and the hashing algorithm is also strong. For example, md5 is not going to cut it here. Better take something like SHA256. However, what a hacker can do with hashed requests if they get their hands on them, is replay them, i.e., send them again. For example say there is a call from A to B indicating a user has deposited money, a hacker has just deposited money and gets to see the message from A to B they can send this message over and over getting more money every time.
Which leaves us with OAuth, the strongest of your three suggestions, because there is no single token a hacker can obtain to sign their own requests, and by design replay is impossible as well.
In conclusion, get the hosts to talk over SSL, and use OAuth.
[1] Make sure not to use SSLv3, as that’s been compromised. TLSv1 is also no the best idea. To be safe, go with either TLSv1.1 or TLSv1.2 with a certificate that is signed with SHA-256 (most providers offer those nowadays).