Web API Authentication Basic vs Bearer

Asked 1/12, 2015 at 5:33 Answered 9/1, 2020 at 18:38

Solved basic-authentication jwt bearer-token

160

I have created JWT based Authentication in my Web API application. I am not able to figure out the difference between

Basic Token
Bearer Token

Can someone please help me?

Stripy answered 1/12, 2015 at 5:33 Comment(0)

162

The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617).

The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750. Even if this scheme comes from an OAuth2 specification, you can still use it in any other context where tokens are exchange between a client and a server.

Concerning the JWT authentication and as it is a token, the best choice is the Bearer authentication scheme. Nevertheless, nothing prevent you from using a custom scheme that could fit on your requirements. But the custom scheme may be misunderstood by applications.

Pinsky answered 1/12, 2015 at 14:3 Comment(0)

126

Basic authentication transmits credentials as user ID/password pairs, encoded using base64. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.

Authorization: Basic ZGVtbzpwQDU1dzByZA==

Note: For basic authentication, as the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS / TLS should be used in conjunction with basic authentication.

Bearer authentication (also called token authentication) has security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources:

Authorization: Bearer < token >

Note: Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).

For more information link1, link2

Quaternion answered 9/1, 2020 at 18:38 Comment(7)

so both these are authorization and not really authorization. In the first one, you send base64 encoded string and get authorized while in latter you get back a token and use it to access resource – Parttime 20/5, 2020 at 6:54

what's the advantage of passing token over username/password? – Viddah 25/8, 2020 at 16:20

@MuhammadUmer you can revoke the tokens and also grant them granular access (i.e. only read access). – Dissatisfactory 2/11, 2020 at 23:4

I found the answer and it was that you don't have to do db read with token you can use crypto to validate token, best for microservices which don't have shared session state, although there are load balancer which can fix one user to one service, but it's still performant. – Viddah 3/11, 2020 at 5:9

@MuhammadUmer Unlike the basic auth scheme, Token/Bearer authentication can scale. The token is only stored on the client and not on the server, thus multiple clients can be supported: Web and Mobile. – Overtax 24/6, 2021 at 22:24

To me best answer. Just wanted to add in some scenarios, payment gateways for instance, you need both type of Auth, one step to authenticate with Basic information, and from there next communication would be with Brear ...Jwt.. token. the later jwt token comes from first returned access_key token. – Halmstad 20/8, 2021 at 1:12

is there any authentication that should not use https? you make it sound as if they are not secured if no https, so please tell us the one that is secured without https – Haemolysin 27/7, 2022 at 20:47

Recommended topics

Hot tags