20
What is and how Basic Auth works?
In which scenarios it should be used?
It is safe to use it currently, since we already have Oauth and Oauth2, among other more modern forms of authentication?
2 answers
18
What is?
Basic Authentication is the most common authentication system of the HTTP protocol. It is included in header HTTP request in this way:
Authorization: Basic {credenciais em base 64 no formato usuário:senha}
Remember that the Base 64 is a coding scheme and not encryption. So, you MUST use it only with an HTTPS (TLS) connection. The use of Base 64 is due to mime pattern.
Workflow
The authentication scheme works like this: the server responds to the client’s HTTP code 401 (Unauthorized) and with a header WWW-Authenticate, which gives information on how to authenticate. The client sends the request with the header authentication, shown above. If your credentials are correct, you will receive a different response from 403 (Forbidden).
Security
Basic Auth in HTTPS (TLS) is good, but not 100% safe. Its use will depend on the level of risk of the data you are transiting. Note that with each request you will be sending credentials. Authentication can be permanently stored in the browser if required by the user (very hard to happen when it comes to Restful Apis).
There are several actions to be taken to increase the security of your service. I’m not going to stretch, but highlight one point: generate API keys that are not broken easily. Take a look in the Uuids.
When to use?
Only you can analyze this. What is the level of secrecy of data in transit via HTTP? If it’s high, maybe it’s worth investing in another authentication scheme.
A great advantage of Basic Auth is simplicity. For both the client and the server. This will accelerate development to both sides.
Use authentication schemes more modern, as Oauth and Oauth2 bring their advantages, but one has to analyze the real need.
- You’re carrying classified data? Maybe your option isn’t Oauth or Oauth2. How much security you need?
- A simple and quick implementation scheme solves your problem? Basic Auth looks good.
- Needs features such as authentication by other services? The Oauth brings this and may be the option.
I’ll leave some links that may help in choosing:
7
Basic authentication, or in English basic Authentication is a simple authentication scheme embedded in the HTTP protocol.
Client sends HTTP requests with the authorization header Authorization containing the word Basic followed by a space and a user name and password in plain text separated by two dots (:) using Base64.
For example, to authorize the user as a demonstration test password-protected @55w0rd, the customer would send in the request:
Authorization: Basic dGVzdDpANTV3MHJk
Note: Since Base64 is easily decoded, basic authentication should only be used in conjunction with other security mechanisms such as HTTPS/TLS.
Regarding usage scenarios, from a more pragmatic point of view, you should use Basic Authentication in small applications where you do not need to have such effective security control, as it is much simpler to implement it, but the opposite is true for the use of Oauth and Oauth2.
Browser other questions tagged terminology http authentication
You are not signed in. Login or sign up in order to post.