Join us at Minneapolis API Security Summit 2025!
Join us at Minneapolis API Security Summit 2025!
Join us at Minneapolis API Security Summit 2025!
Join us at Minneapolis API Security Summit 2025!
Join us at Minneapolis API Security Summit 2025!
Join us at Minneapolis API Security Summit 2025!
Close
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
/
/
API Security

Basic Authentication 🔐

Introduction

When you have organizational assets present online, you definitely worry about their security. Ensuring that resources and databases are not in the wrong hands can start with basic authentication. Designed for HTTP users, it is the basic schema for validating a request reaching the server. Learn more about it in the post.


Basic Authentication 🔐

What is Basic Authentication?

Used widely in HTTP-based communication, basic method is the means of authenticating end-users before granting access to resources or communication. For the same, intended users are instructed to deliver primary credentials like user names and login passwords.

In this method, the base-64 encoded data is transmitted through an Authorization Header.

As it doesn’t demand cookies, login pages, and other identifiers to come into action, it’s considered as the most austere user-authentication technique helping in achieving full access control.

Basic Authentication Header

As told in the previous section, the authorization header is what carries the information related to user identity for the validation of their rights. This part is later carried forward to the server. Once the server processes the user details, access is granted to the end-user. Based on the information stored, multiple authentication headers may exist too.

basic authentication work

Basic vs Modern authentication

Basic, as clear from its name itself, authentication is an old-school identity-verification process that requires only user IP and login password and is not compatible with two-step verification. 

With this limit, data theft has a higher probability with this user validation method.

Modern authorization is a multiple-layer approach asking for more details to complete the login process. It’s not based on single authentication but uses multiple protocols. WS-Federation, OAuth, and SAML represent modern authorization in an apt manner. 

They all have a diverse course of action, but one thing in common! They all require token-based requests processing for user authority-checking. It means, along with providing credential details, end-users have to create a unique token to complete the access request. 

Third-party identity service provider manages the tokens required in completing the authentication procedure. They feature custom user information. In case the tokens are compromised, they will expire automatically to save the stored information.


Authentication Header Types

  • Basic Auth - It is the simplest type of auth header built over HTTP protocol. The header features the word Basic and a base 64-encoded string username. 

Here is an example header:

Authorization: Basic U2hpdmFuc2hpOnNkZmY=
  • Bearer Token - It involves the processing of bearer tokens that are server-generated cryptic strings. This token-based method may use various encryption algorithms, such as: RS512, RS384, ES256, etc.

The format is:

Authorization: Bearer < token>

Input Example:

example bearer token


Output Example:

Authorization:

Bearer eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyIiwibmFtZSI6IlNoaXZhbnNoaSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.Oajdup5xN4ldNZ8aP-9N3aJobyKa-DymD1freJOzJhigHOKmwWdpJ4vzrd2lvnGT_k-uIet79DVq4nrsLfZex6rfcs7p9vw4WgyfS5AdCKveisRoaz-7JXXF5FJOM6Twz75il7TVUw2nVVthCG4xWyN-noruvbLrn_HVK4zCO-w7lx7TnWD0epuYb3uGq3Dnb4YZIAD_-8B_k18juCUnemOIkaHt3CrcTuqp2gxgBkhSMoR2zm1oBlk-gYzKvfQRWGArIkzUaevtbq8_XYPXBOHb8YFfsVHD6lnloNYmfNRrtg8aoTaTvspk03rIVCy7gTypEWlKr-elJzUHSaW9gA


enoded example


  • API Key - It is the client-generated tokens processed when API calls are made. In this type of authentication, the end-user shares a key-value pair to API as request header or query parameters. 

In general, this key is passed in URL as GET or POST request, and is in string format. 

Example:

GET /endpoint?api_key=gjukghl121264354354864

In request header, the same key can be passed as

X-API-Key: gjukghl121264354354864
  • Digest Auth - This type of authentication passes on the user information in a highly encrypted form. The encryption is achieved by applying the hash algorithm to the login credentials. 

example form

For the above example, we can post the following line in the .htdigest file:

demo:hello:4433cbdf49dae47093f59231504917fb
  • OAuth 2.0 - It is an inventive basic authorization and precedes OAuth 1.0. It involves retrieving the access token for the APIs and using them further to verify the further requests made. 

Example:

oauth 2 example token


  • Hawk Authentication - It takes the help of cryptographic verification to authorize the access requests. 

Example:

Authorization:

Hawk id="user123", ts="1546300800", nonce="gWqbkw", mac="4433cbdf49dae47093f59231504917fb/OnNkZmY="
  • AWS Signature - It works only for AWS requests and involves using a customized HMAC HTTP scheme for user’s identity verification. 

Example:

AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;range;x-amz-content-sha256;x-amz-date,Signature=f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41


Why is OAuth Better Than Basic Authentication?

OAuth is a part of basic method of identity authenticity checking. Yet, it’s superior and advance from basic authorization at various fronts. Seeing its rapid adoption, it’s not erroneous to say that OAuth is replacing basic authorization. Many of us found it superior from basic method. Well, there are reasons behind this.

  • OAuth uses advanced user identity verification processes and is claimed to have 100% credibility. When the end-user makes an access request, a new token is created. It maintains the dependability of the process. Basic authentication offers no such facility. 
  • When token security is compromised, it will be deleted automatically keeping the API key details safe. 
  • Basis authentication transfers the tokens over HTTP. Such token processing increases the possibility of third-party manipulation. Also, there is no encryption at work. In OAuth, token processing happens on SSL protocol that is safe and features better encryption. 
api Basic Authentication

HTTP basic authentication and the REST API

HTTP-based authentication works seamlessly for REST API and can complete the user identity validation process by simply providing user names and login password details. The details should be delivered in the HTTP header.

The pre-requisites of this process are:

  • Configuring the REST API users as per roles and groups.
  • Enabled HTTP-based basic authentication.
  • Using only a secure connection.

The procedure of enabling the basic auth through HTTP in the REST API is as mentioned below:

  1. Begin with separating the username-password with a colon and then encode this information in the base64 format.
  2. Include the above-created credential details on the HTTP Basic auth header.
  3. In case you’re using the basic REST API processing methods like POST, PATCH, or DELETE, make sure you offer added authentication through password-like hidden credentials. 
  4. Now, send a GET request in the login REST API resource to create a CSRF token. Here, the primary login details are processed. 
  5. Finally, forward the REST API auth request to a message-oriented middleware tool with suitable headers. 

Besides the above, one can also use token-based method of identity verification for REST API. Using both methods of authenticity validation, one can improve the REST API security and keep unauthorized access at bay. 

If implementing these two authorization procedures on REST or any other API seems a tough task, we suggest taking the help of modern API security tools like Wallarm that automates the entire process and protects the API lifecycle.

FAQ

References

Subscribe for the latest news

Updated:
October 24, 2024
Learning Objectives
Subscribe for
the latest news
subscribe
Related Topics