Which one of basic auth, digest auth and Oauth should one use for a web application to let users access resources through Restful API calls?
Isn't Oauth the better solution replacing basic and digest auth?
HTTP basic auth, digest auth and Oauth?
Cool site trying to shed light : oauthbible.com –
Habana
I am trying to work out the answer to this one as well. I would say it depends on what the scope of your intended app is. oAUTH restricts access to developers who would have to build a client to do the handshaking.
Basic can work with many data browser clients like Sesame and also work with Excel 2010, as well as any old browser. the only issue is the passwords travelling in the clear, which can be mitigated by hosting your app over https.
Don't know much about digest unfortunately.
I am personally trying to test an implementation of each: http basic and oauth.
Glossing over many details here but:
http basic: send username & password in the clear in Authorize header
http digest: send username & password, where the password has been hashed by a server provided nonce
Both versions of oauth originally designed to grant 3rd parties access to resources that are not owned by it (eg. I allow mobile photo app to post to facebook on my behalf) without having to give the 3rd party my credentials. Both of these protocols work basically as follows:
- From mobile photo application, user is directed to login page of facebook
- Once they have logged in, they are redirected back to the mobile photo app with a code.
- The mobile photo app then redeems this code for an access token
- The mobile photo app can then make requests to facebook to post my photos to my wall.
oauth1.0a: more secure than oath2, but more difficult to implement also requires all requests to be signed.
oauth2: relies on ssl for security and does not require request signing. While it's lead author has abandoned the project because he feels it doesn't doesn't meet either of its original design goals (security, interoperability) it is widely used by Facebook and Google.
Here are some articles I found useful here:
Not enough mojo yet to link to the rfcs but those are the definitive sources, if slightly indigestible.
FYI, Oauth2.0 uses HTTP Basic authentication in some parts of its flow. –
Tadeas
Hmm.. I don't see a real difference between HTTP Digest Authentication with qop=auth-int (rfc2617, june 1999, and the OAuth 1 authorisation scheme (2010)... not sure what the OAuth fuss is about :-) –
Breakage
May I add to HTTP Digest: The purpose of the nonce value is to prevent repeated requests. Each request will have a different nonce value, and thus each request, although containing the same username/password, has a unique hash. –
Tadeas
Phil Sturgeon has got a decent eBook (Build APIs You Won't Hate) with a whole chapter dedicated to Authentication. It covers:
- Basic
- Digest
- OAuth 1.0a
- OAuth 2
I'd highly recommend reading it if you are considering implementing such mechanisms within your RESTful API.
Update Why the downvote?
Because you didn't answer the question, but just linked a book. This answer is better suited as a comment. –
Elbe
Just listing something is not an answer...you know that. Provide more than links. –
Telic
I am trying to work out the answer to this one as well. I would say it depends on what the scope of your intended app is. oAUTH restricts access to developers who would have to build a client to do the handshaking.
Basic can work with many data browser clients like Sesame and also work with Excel 2010, as well as any old browser. the only issue is the passwords travelling in the clear, which can be mitigated by hosting your app over https.
Don't know much about digest unfortunately.
I am personally trying to test an implementation of each: http basic and oauth.
© 2022 - 2024 — McMap. All rights reserved.