API Design: HTTP Basic Authentication vs API Token

api authentication architecture basic-authentication
72,919

Solution 1

I think that HTTP Basic Auth should be OK but just for really simple needs.

The complete (and final) solution IMHO is to implement an OAuth provider. It's not complex, it's a simple protocol and gives you lots of flexibility. In addition it seems to be the current trend as many big players implement it and it's supported from many many libraries.

Solution 2

Best bet might be using an API key in the header (e.g. 'Authorization: Token MY_API_KEY') instead of as a url param:

Advantages over HTTP Basic Auth:

  • More convenient, as you can easily expire or regenerate tokens without affecting the user's account password.
  • If compromised, vulnerability limited to API, not the user's master account
  • You can have multiple keys per account (e.g. users can have "test" and "production" keys side by side.)

Advantages over API key in URL:

  • Provides extra measure of security by preventing users from inadvertently sharing URLs with their credentials embedded in them. (Also, URL can wind up in things like server logs)

Solution 3

Many times I had to think about how to authenticate users/requests onto APIs and after comparing more solutions I ended up with using the Amazon's solution where I don't need or I can't use OAuth. This solution is based on signatures that prevents from "man in the middle" problems as Basic Auth and passing a simple token are sending plain text data. Yes you can add ssl but this will add complexity to the system...

Share:
72,919
Simone Carletti
Author by

Simone Carletti

Hi! My name is Simone Carletti. I'm a passionate programmer and scuba diving instructor. I'm the CTO at DNSimple. I created RoboWhois and RoboDomain. I have been involved with software development for more than a decade, contributing code and creating libraries.

Updated on July 08, 2022

Comments

  • Simone Carletti
    Simone Carletti almost 2 years

    I'm currently creating an authentication system on front of a public web API for a web application. Given that each user account has an API key and each request must be authenticated, I have two alternatives:

    1. Using an HTTP Basic Authentication, like GitHub does.

      Requests must be sent to the URL

      http://api.example.com/resource/id
with basic authentication
username: token
password: the api key

    2. Passing the API Token as querystring parameter.

      Requests must be sent to the URL

      http://api.example.com/resource/id?token=api_key

    There's also a third option which is passing the token within the URI, but I honestly don't like that solution.

    Which solution would you adopt and why?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Prevent untrusted clients to use login/register endpoints of REST API
What are options for Flutter App Backend?
Where to store JWT Token in .net core web api?
How should I store a token generated by a RESTful API?
Yii2 Rest API Bearer Authentication
How to OAuth 2.0 with Retrofit Android
How to make JWT cookie authentication in Laravel
How to configure spring boot admin client when authentication is enabled?
Twitter error code 215: Bad Authentication Data
YouTube Data API: OAuth Authentication for services using V3 without user intervention