Basic Authentication 🔐

What is Basic Authentication?

Used widely in HTTP-based communication, basic method is the means of authenticating end-users before granting access to resources or communication. For the same, intended users are instructed to deliver primary credentials like user names and login passwords.

In this method, the base-64 encoded data is transmitted through an Authorization Header.

As it doesn’t demand cookies, login pages, and other identifiers to come into action, it’s considered as the most austere user-authentication technique helping in achieving full access control.

Basic Authentication Header

As told in the previous section, the authorization header is what carries the information related to user identity for the validation of their rights. This part is later carried forward to the server. Once the server processes the user details, access is granted to the end-user. Based on the information stored, multiple authentication headers may exist too.

Basic vs Modern authentication

Basic, as clear from its name itself, authentication is an old-school identity-verification process that requires only user IP and login password and is not compatible with two-step verification. 

With this limit, data theft has a higher probability with this user validation method.

Modern authorization is a multiple-layer approach asking for more details to complete the login process. It’s not based on single authentication but uses multiple protocols. WS-Federation, OAuth, and SAML represent modern authorization in an apt manner. 

They all have a diverse course of action, but one thing in common! They all require token-based requests processing for user authority-checking. It means, along with providing credential details, end-users have to create a unique token to complete the access request. 

Third-party identity service provider manages the tokens required in completing the authentication procedure. They feature custom user information. In case the tokens are compromised, they will expire automatically to save the stored information.

Authentication Header Types

• Basic Auth - It is the simplest type of auth header built over HTTP protocol. The header features the word Basic and a base 64-encoded string username. 
  

Here is an example header:

Authorization: Basic U2hpdmFuc2hpOnNkZmY=

• Bearer Token - It involves the processing of bearer tokens that are server-generated cryptic strings. This token-based method may use various encryption algorithms, such as: RS512, RS384, ES256, etc.
  

The format is:

Authorization: Bearer < token>

Input Example:

Output Example:

Authorization:

Bearer eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyIiwibmFtZSI6IlNoaXZhbnNoaSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.Oajdup5xN4ldNZ8aP-9N3aJobyKa-DymD1freJOzJhigHOKmwWdpJ4vzrd2lvnGT_k-uIet79DVq4nrsLfZex6rfcs7p9vw4WgyfS5AdCKveisRoaz-7JXXF5FJOM6Twz75il7TVUw2nVVthCG4xWyN-noruvbLrn_HVK4zCO-w7lx7TnWD0epuYb3uGq3Dnb4YZIAD_-8B_k18juCUnemOIkaHt3CrcTuqp2gxgBkhSMoR2zm1oBlk-gYzKvfQRWGArIkzUaevtbq8_XYPXBOHb8YFfsVHD6lnloNYmfNRrtg8aoTaTvspk03rIVCy7gTypEWlKr-elJzUHSaW9gA

• API Key - It is the client-generated tokens processed when API calls are made. In this type of authentication, the end-user shares a key-value pair to API as request header or query parameters. 
  

In general, this key is passed in URL as GET or POST request, and is in string format. 

Example:

GET /endpoint?api_key=gjukghl121264354354864

In request header, the same key can be passed as

X-API-Key: gjukghl121264354354864

• Digest Auth - This type of authentication passes on the user information in a highly encrypted form. The encryption is achieved by applying the hash algorithm to the login credentials. 

For the above example, we can post the following line in the .htdigest file:

demo:hello:4433cbdf49dae47093f59231504917fb

• OAuth 2.0 - It is an inventive basic authorization and precedes OAuth 1.0. It involves retrieving the access token for the APIs and using them further to verify the further requests made. 
  

Example:

• Hawk Authentication - It takes the help of cryptographic verification to authorize the access requests. 
  

Example:

Authorization:

Hawk id="user123", ts="1546300800", nonce="gWqbkw", mac="4433cbdf49dae47093f59231504917fb/OnNkZmY="

• AWS Signature - It works only for AWS requests and involves using a customized HMAC HTTP scheme for user’s identity verification. 
  

Example:

AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;range;x-amz-content-sha256;x-amz-date,Signature=f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41

Why is OAuth Better Than Basic Authentication?

OAuth is a part of basic method of identity authenticity checking. Yet, it’s superior and advance from basic authorization at various fronts. Seeing its rapid adoption, it’s not erroneous to say that OAuth is replacing basic authorization. Many of us found it superior from basic method. Well, there are reasons behind this.

• OAuth uses advanced user identity verification processes and is claimed to have 100% credibility. When the end-user makes an access request, a new token is created. It maintains the dependability of the process. Basic authentication offers no such facility. 
• When token security is compromised, it will be deleted automatically keeping the API key details safe. 
• Basis authentication transfers the tokens over HTTP. Such token processing increases the possibility of third-party manipulation. Also, there is no encryption at work. In OAuth, token processing happens on SSL protocol that is safe and features better encryption. 

HTTP basic authentication and the REST API

HTTP-based authentication works seamlessly for REST API and can complete the user identity validation process by simply providing user names and login password details. The details should be delivered in the HTTP header.

The pre-requisites of this process are:

• Configuring the REST API users as per roles and groups.
• Enabled HTTP-based basic authentication.
• Using only a secure connection.

The procedure of enabling the basic auth through HTTP in the REST API is as mentioned below:

1. Begin with separating the username-password with a colon and then encode this information in the base64 format.
2. Include the above-created credential details on the HTTP Basic auth header.
3. In case you’re using the basic REST API processing methods like POST, PATCH, or DELETE, make sure you offer added authentication through password-like hidden credentials. 
4. Now, send a GET request in the login REST API resource to create a CSRF token. Here, the primary login details are processed. 
5. Finally, forward the REST API auth request to a message-oriented middleware tool with suitable headers. 
   

Besides the above, one can also use token-based method of identity verification for REST API. Using both methods of authenticity validation, one can improve the REST API security and keep unauthorized access at bay. 

If implementing these two authorization procedures on REST or any other API seems a tough task, we suggest taking the help of modern API security tools like Wallarm that automates the entire process and protects the API lifecycle.