HTTP basic authentication over SSL for REST API
Basic authentification is just a standard HTTP header with the user and pass encoded in base64 :
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
(http://en.wikipedia.org/wiki/Basic_access_authentication) .If you authenticate your rest API calls by this header over a non ssl conection, the problem is that any man in the middle can decode your username and password from your auth header.
To make sure that your password is sent securely , instead of a normal HTTP connection you must use HTTPS . The only difference between HTTP and HTTPS is that HTTPS is using the SSL/TSL security protocol over TCP/IP instead of plain TCP/IP.
Now this has the drawback that establishing a HTTPS connection is more expensive on the cpu than normal HTTP connection. It is very clear that If you want to authenticate your rest calls on every request with this header you should make your rest API only available to HTTPS connections.
Related videos on Youtube
Kanishk Dudeja
Updated on July 09, 2022Comments
-
Kanishk Dudeja almost 2 years
I am new to the concept of RESTful API's.
I am designing a RESTful API for an online store.
I have not properly understood the concept of basic HTTP authentication over SSL.
Does it mean that for every request the user will have to enter his/her username and password again?
Can somebody explain in detail how it functions and how it is meant to be used?
-
Kanishk Dudeja over 10 yearsWill the authorization header have to be sent with every request that goes to the server?
-
Ovidiu Buligan over 10 yearsYes . Because the Rest api doesn't have state (for ex :logged in user state). I think that for big applications you have to have an authentication module or filter which has state .Or something like OAuth . I would certainly look also to try to understand OAuth 2 for example which is a more complete and general solution for anyone who uses your api.
-
Kanishk Dudeja over 10 yearsAnd will the header be automatically get cached and sent by my browser again and again? Or will i need to send the header by the api code?
-
Ovidiu Buligan over 10 yearsyou will need to send the header at each request
-
Ovidiu Buligan over 10 yearsIgnore my preview comment it seams the browser caches the credentials. Here is a question on the same subject: security.stackexchange.com/questions/988/…
-
Kanishk Dudeja over 10 yearsOkay. Last thing. For the first time too, it is the browser's responsibility to encode it into a base 64 string, right?
-
Ovidiu Buligan over 10 yearsyes , you generally don't need to concern about encoding it because you use the a javascript API to set the user and password for the basic authentication
-
Michael Chudinov over 6 yearsJust want to mention that basic authentication is described in RFC 7617 [tools.ietf.org/html/rfc7617] (tools.ietf.org/html/rfc7617). It is always worth to refer to a standard.
-
galactikuh about 5 yearsThis answer is out of date since the solution provided in the wikipedia page has been deprecated.