Is OAuth more secure than Basic Auth for server to server communication

Question

Is OAuth more secure than Basic Auth through HTTPS for server to server dialog?

I mean, if I want to do some API request from server A to server B with OAuth, I have to store some auth data (key, secret, etc.) on server A. Then using these auth data, I can have a token and make requests with this token to server B. And using the same auth data later, I will have a token key and will be able to make request with this fresh token.

With Basic Auth, I have some auth data (user, password) on server A. And I can perform requests with this data on B now and later.

Now let's say the auth data is discovered because there is a file on server A .conf with the auth data and this file was stolen. In both case (OAuth and Basic Auth), that's terrible, and there is no benefits in using OAuth over Basic Auth. Example on a real case: I just created a twitter bot (connection with OAuth) some days ago, if the configuration informations are discovered, the account is stolen and the attaquant will be able to use this bot now and in the future.

So, is there another reason I don't know (or maybe I misunderstood something) in using Oauth over Basic Auth for server to server requests (with HTTPS)?

Answer 1

If the server itself is breached, they do seem similar, but there are small differences if you consider the breach is in the communication channel.

With Basic authentication the full credentials are always included in each request, while with OAuth it's the access token that is included in each request. At first glance this may seem the same, but tokens do have some interesting characteristics:

• They can have an associated expiration time reducing the impact of a single leak.
• They can have a reduced scope, that is, the application has write access, but since most of it's requests only require read access, than it requests a read only access token that it uses in this majority of requests; again this minimizes the impact of a leak.

Another interesting part, is that most breaches will likely occur in the communication channel and not on the servers themselves so this does seem important.

There are however some downsides, bearer tokens require some additional complexity if you need immediate revocation capabilities.