What is Basic Auth?

Navigation
14

What is and how Basic Auth works?

In what scenarios should it be used?

Is it safe to use it now, since we already have OAuth and OAuth2 , among other more modern forms of authentication?

    
asked by anonymous 11.11.2017 / 03:55

2 answers

8

What is it?

Basic Authentication is the most common HTTP protocol authentication system. It is included in the header of the HTTP request in this way: 

Authorization: Basic {credenciais em base 64 no formato usuário:senha}

Please note that Base 64 is a coding and non-encryption scheme. Therefore, you MUST use it only with an HTTPS (TLS) connection. The use of Base 64 is due to the MIME standard .

Workflow

The authentication scheme works like this: the server responds to the HTTP client code 401 Unauthorized) and with a WWW-Authenticate header, which gives information on how to authenticate. The client sends the request with the header authentication, shown above. If the credentials are correct, you will receive a response other than 403 (Forbidden) .

Security

BasicAuthonHTTPS(TLS)isgood,butnot100%secure.Itsusewilldependonthelevelofriskofthedatabeingtransited.Noticethatwitheachrequestyouwillbesendingthecredentials.Authenticationcanbepermanentlystoredinthebrowserifrequiredbytheuser(verydifficulttodowhenitcomestoRESTfulAPIs).

Thereareseveralstepsyoucantaketoincreasethesecurityofyourservice.Iwillnotstretch,buthighlightonepoint:generateAPIkeysthatarenotbrokeneasily.Takealook in the UUIDs .

When to use?

Only you can analyze this. What is the confidentiality level of data in transit via HTTP? If it's high, it might be worth investing in another authentication scheme.

A great advantage of Basic Auth is simplicity. Both for the client and for the server. This will accelerate development for both sides.

Using more modern authentication schemes, such as OAuth and OAuth2 bring their advantages, but you have to look at the real need.

  • Are you carrying sensitive data? Maybe your choice is not OAuth or OAuth2. How much security do you need?
  • A simple, quick implementation scheme solves your problem? Basic Auth looks good.
  • Need features like authentication by other services? OAuth brings this and may be the option.

    • I'll leave some links that can help in choosing:

    19.11.2017 / 12:57
    3

    Basic authentication, or basic authentication is a simple authentication scheme built into the HTTP protocol.

    The client sends HTTP requests with the Authorization authorization header containing the word Basic followed by a space and a plain text username and password separated by two points (: ) using base64.

    For example, to authorize the user test with password @55w0rd , the client would send in the request:

    • Authorization: Basic dGVzdDpANTV3MHJk

    Note: Because base64 is easily decoded, basic authentication should only be used in conjunction with other security mechanisms, such as HTTPS / TLS.

    Regarding the usage scenarios, starting from a more pragmatic point of view, you should use Basic Authentication in small applications where you do not need to have a security control as effective as it is much more simple to implement, but the opposite is true for using OAuth and OAuth2 .

        
    15.11.2017 / 21:11
    When and in which columns should you use indexes? Error typing GIT PUSH