Menu
I am new to the concept of RESTful API's.
I am designing a RESTful API for an online store.
I have not properly understood the concept of basic HTTP authentication over SSL.
Does it mean that for every request the user will have to enter his/her username and password again?
Can somebody explain in detail how it functions and how it is meant to be used?
221
OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications.
yes. if you're using https the conversation with the web server is entirely encrypted.
Note: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure. If the connection is insecure, the scheme does not provide sufficient security to prevent unauthorized users from discovering the authentication information for a server.
Basic authentification is just a standard HTTP header with the user and pass encoded in base64 :
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
(http://en.wikipedia.org/wiki/Basic_access_authentication) .If you authenticate your rest API calls by this header over a non ssl conection, the problem is that any man in the middle can decode your username and password from your auth header.
To make sure that your password is sent securely , instead of a normal HTTP connection you must use HTTPS . The only difference between HTTP and HTTPS is that HTTPS is using the SSL/TSL security protocol over TCP/IP instead of plain TCP/IP.
Now this has the drawback that establishing a HTTPS connection is more expensive on the cpu than normal HTTP connection. It is very clear that If you want to authenticate your rest calls on every request with this header you should make your rest API only available to HTTPS connections.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
