Why should you base64 encode the Authorization header?

D

3

16

Twitter's API requires sending an Authorization header that is a base64 encoding of an API key concatenated with an API secret key. In Node, I use:

var base64 = new Buffer(apiKey + ':' + apiSecret).toString('base64');

The header sent becomes:

Authorization: 'Basic ' + base64

What is the point of base64 encoding the string "apiKeyHere:apiSecretHere"? Why not just accept an Authorization header containing the raw api credentials?

This question is similar to What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication? but the voted answer doesn't fully answer my question. Twitter's api key and api secret key are already HTTP compatible characters. They look something like this (these are not real):

Consumer Key (API Key) 8dme3utVQfOhlPk5BUG9XbFxR

Consumer Secret (API Secret) QFZXoC7MP72JZtGMBNpjLGI4Vl1xr1q9dyPLp3u7jGtkESpbLm

So why base64 encode it? Furthermore, that post states "the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible." Wouldn't a username and password already be HTTP compatible characters?

Deficient answered 28/10, 2015 at 7:44 Comment(2)

Possible duplicate of What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication? – Hangdog 28/10, 2015 at 7:50

I guess that somewhat answers it, but not entirely. That answer states "the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible.". The apiKey and apiSecret from Twiter are already HTTP compatible characters. And wouldn't a username and password already be in HTTP compatible characters? – Deficient 28/10, 2015 at 17:37

H

7

Eventhough I can't find it in the w3 documentation, I believe that it is just protocol to encode the credentials of the Authorization header to base64, no matter what content it has. In the case of Twitter it doesn't make much difference as you said, but in other cases the credentials can contain these characters. To keep it uniform and prevent mistakes of whether it should be encoded or not, all credentials should be encoded.

Another reason could be, that browsers also encode the credentials the same way. Twitter probably also wants to accept that.

Hangdog answered 29/10, 2015 at 7:59 Comment(3)

thanks. Can you think of a case where the data wouldn't contain HTTP compatible characters? – Deficient 29/10, 2015 at 16:36

Any case where the username or password contains any non-ASCII characer, as well as any of the token seperaters as mentioned here. (See this question.) – Hangdog 30/10, 2015 at 7:54

I believe there is already a character set being used, which is a way to represent text as bytes. Then if you base 64 encode those bytes, this is a way to encode bytes as text in a format that is safe to transmit across the protocols. It only uses text characters that could be misinterpreted as control codes by different protocols that it may pass through. – Baluchistan 22/11, 2021 at 18:55

C

7

The Basic Authentication Scheme is described in the RFC7617 (and the old RFC2617).

This is a standard way to send password credentials to the server. The base64 encoding is used to encode credentials to allow non HTTP characters and multibytes strings to be sent.

Cima answered 29/10, 2015 at 7:56 Comment(0)

H

7

Eventhough I can't find it in the w3 documentation, I believe that it is just protocol to encode the credentials of the Authorization header to base64, no matter what content it has. In the case of Twitter it doesn't make much difference as you said, but in other cases the credentials can contain these characters. To keep it uniform and prevent mistakes of whether it should be encoded or not, all credentials should be encoded.

Another reason could be, that browsers also encode the credentials the same way. Twitter probably also wants to accept that.

Hangdog answered 29/10, 2015 at 7:59 Comment(3)

thanks. Can you think of a case where the data wouldn't contain HTTP compatible characters? – Deficient 29/10, 2015 at 16:36

Any case where the username or password contains any non-ASCII characer, as well as any of the token seperaters as mentioned here. (See this question.) – Hangdog 30/10, 2015 at 7:54

I believe there is already a character set being used, which is a way to represent text as bytes. Then if you base 64 encode those bytes, this is a way to encode bytes as text in a format that is safe to transmit across the protocols. It only uses text characters that could be misinterpreted as control codes by different protocols that it may pass through. – Baluchistan 22/11, 2021 at 18:55

L

3

The string should be base64 encoded, not for security, but to encode non-HTTP-compatible characters into HTTP-compatible characters that may be in the username or password.

Lynden answered 10/3, 2019 at 6:44 Comment(0)

Recommended topics

Hot tags