开发者

Should I still provide basic authentication for my API

开发者 https://www.devze.com 2023-01-13 09:56 出处:网络
My latest API is going to \"ship\" soon. Coming from a \"release early and often\" background, I\'m planning to implement oAuth in a later release version.

My latest API is going to "ship" soon. Coming from a "release early and often" background, I'm planning to implement oAuth in a later release version.

What are the reasons why e.g. Twitter removes Basic Auth from its API? What are the pros开发者_JAVA百科 and cons and maybe security implications using Basic authentication in any API?

Best

Henrik


The possible (in my humble opinion) of why Twitter removed Basic Authorization is based on the fact that Basic Authorization is based on Base64 encoding. Basic Authorization header allows you to hash a string concatentation of username and password (separated by a colon).

e.g. (Pseudo-code, language independent)

String basicAuth = Base64Encode("username:password"); //where username is my username and password is password.
httpRequestHeader.setHeader("Authorization", "Basic " + basicAuth);

Eavesdroppers can intercept HTTP request, retrieve the Authorization header, and decode the Base64 encoded stream and get the user's username and password. The encoder/decoder code can be found anywhere on the internet.

Now, the eavesdropper logs in to Twitter using that username and password and becomes the "new" user (and changes the password so that the current user doesn't login anymore).

More or less, the pitfalls of Basic Authentication can be found here.

Secondly, Twitter wanted that authentication is done on the publisher site and not sent remotely via 3rd party client. OAuth provides such capability.

0

精彩评论

暂无评论...
验证码 换一张
取 消