I'm building a RESTful API for my application and I would like to make it as clean and transparent as possible.
I need to create an authentication endpoint and it makes most sense to me to build it so that users can authenticate in a following way:
GET https://example.com/
auth?identity=<username_or_email>&password=<password>
As I said, passing the user auth data using HTTP GET method in query parameters just seems very clean to me.
But I would like you to ask about how secure it actually is. Considering it will be encrypted through SSL/TLS, do you think it's a good idea to transfer user credentials like this?
Regarding the way to pass parameters, it is a less obvious thing. Unless there's something sensitive in the request parameters, it is perfectly fine to send them as part of URL. Both options are feasible, and I'd say a choice depends heavily on the application domain model.
The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.
Query parameters are a defined set of parameters attached to the end of a url. They are extensions of the URL that are used to help define specific content or actions based on the data being passed. To append query params to the end of a URL, a '? ' Is added followed immediately by a query parameter.
For example, if a website has protected content curl allows you to pass authentication credentials. To do so use the following syntax: curl --user "USERNAME:PASSWORD" https://www.domain.com . “USERNAME” must be replaced with your actual username in quotes.
As Display Name said, both variants are basically plain text (even using base64 encoding). So you must use TLS or another protection like HMAC
But from other side, Query string is less secure in terms of how Server/Client works with URLs in general. You can read about this here or here. Briefly you should be worry about the following
Well I basically pass base64 string to the server. My username and password are converted in base64 and then passed in Authorization Header
Authorization : "Basic --Value"
I find this the cleanest way of passing username and password to the server.
On the other end , server had a module called passport.Passport provides different type of Authorization and Authentication like Basic,bearer,token or even your own custom.
For the above purpose i use Basic Module.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With