Best IT Recipes

API Design: HTTP Basic Authentication vs API Token

I am currently creating an authentication system in front of a public web API for a web application. Given that each user account has an API key, and each request must be authenticated, I have two alternatives:

  • Using basic HTTP authentication, like GitHub does .

    Requests must be sent to the URL

    http://api.example.com/resource/id with basic authentication username: token password: the api key

  • Passing an API token as a querystring parameter.

    Requests must be sent to the URL

     http://api.example.com/resource/id?token=api_key

There is also a third option that passes the token to the URI, but I honestly don't like this solution.

What decision would you make and why?

+44
authentication api architecture basic-authentication
Feb 11 2018-11-11T00:
source share
4 answers

I think HTTP Basic Auth should be fine, but just for really simple needs.

The complete (and final) IMHO solution is to implement the OAuth provider. It is not complicated, it is a simple protocol and gives you great flexibility. In addition, this seems to be the current trend, as many major players are implementing it, and it is supported by many libraries.

+11
Feb 11 2018-11-11T00:
source

A better bet might be to use the API key in the header (for example, "Login: MY_API_KEY token") instead of the URL parameter:

Advantages over HTTP Basic Auth:

  • More convenient, since you can easily complete or regenerate tokens without affecting the password of the user account.
  • If compromised, vulnerability limited by API and not the main user account
  • You can have several keys for each account (for example, users can have "test" and "production" sides nearby.)

Benefits of API Key in URL:

  • Provides an additional security measure by preventing users from unintentionally sharing URLs with their credentials embedded in them. (In addition, the URL may end with things like server logs).
+27
Dec 24 '13 at 2:33
source

Many times I had to think about how to authenticate users / API requests and after comparing more solutions I ended up using Amazon solution where I do not need it or I can not use OAuth. This solution is based on signatures that prevent people in the middle problems as Basic Auth and pass a simple token by sending text data. Yes, you can add ssl, but this will add complexity to the system ...

+15
Nov 23 '11 at 3:12
source

I would rather use a token solution. If you do not have actual users with their own username and password, then it seems that you are using the Basic Auth construct not as intended. Not that it was necessarily wrong, but not so clean, IMO. It also eliminates the need for custom headers, and I think it makes implementing on both sides easier and cleaner. The next question I would like to ask is whether to use two-factor authentication or even manage sessions.

+1
Oct 10 '12 at 19:34
source


More articles:


All Articles