Hello -

I'm currently writing a REST API that uses 2-legged OAuth authentication.

(For those who are interested, the web service is here: http://bcws.brightcloud.com).

Our application servers are currently doing the heavy lifting for authentication and I figured moving this into the web server would save us a lot of time on each application server.

The design is to do basic signature checking and facilitate a configurable timestamp check to forbid requests > T minutes difference from the server's clock (in UTC). Optionally, even have it do nonce checking as well. Although I have to say I'm very scared about playing with the Nginx memory structures at this point, I'm willing to try if someone points the way... :)

However, even if we don't do nonce checking, the idea would be that perhaps it's better for some app servers to do that themselves and know that if the nonce is unique the request is valid. Even this partial checking would be a huge time savings to application servers.

I have a basic version of this built and working right now (and yes, it's way faster), but still have some work left to go.

I have two questions:
1. Is there anything I'm overlooking? :)
2. Would this be interesting to anyone besides us? If there is deemed to be sufficient interest, we can most likely make it available to the community.

Regards,

Chris