69

What is the difference between the two headers below?
Which one is preferred?

  1. X-Auth-Token : dadas123sad12

  2. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Vildjharta
  • 55
  • 2
  • 11
Deepak
  • 741
  • 1
  • 5
  • 13
  • 1
    Hi Deepak, and welcome to Stack Overflow. It's quite a broad question - can you explain what you know about the two different authorization headers already, and how/why you need to choose between them? – Vince Bowdren Aug 18 '16 at 11:50
  • 1
    I just want to know difference between two. In order to attach it with JWT token from rest full service. So confused to use which type of header. @VinceBowdren – Deepak Aug 18 '16 at 13:01
  • Basically, the Authorization: Basic is used to log in and then you return a generated token which is returned on further requests to prove who you are. – G_V Oct 01 '16 at 10:43
  • 1
    @G_V : do they server exactly the same purpose? I understand that 'x-auth-token' is used for exchanging auth-token once the user has logged in with credentials. Not sure about 'Authorization: Basic'.. – user18853 Jan 27 '17 at 08:15
  • @user18853 'Authorization: Basic' = send user:pass to get a token. 'x-auth-token' = send the token. – G_V Jan 28 '17 at 10:18

4 Answers4

63

Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given.

The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be 'decrypted' into Aladdin:open sesame.

Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.

Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.

Community
  • 1
  • 1
DaSourcerer
  • 6,288
  • 5
  • 32
  • 55
33

'Authorization: Basic ' means basic authentication, browser/client have to supply the username/password with each request.

In case of 'x-auth-token' user has to supply username/password for the first time and server returns a access-token in header field 'x-auth-token'. For further sessions this token is exchanged, not the username/password.

user18853
  • 2,771
  • 1
  • 21
  • 17
  • 4
    "n case of 'x-auth-token' …" How can you know that? It's a non-standard authentication scheme outside [the official auth framework](https://tools.ietf.org/html/rfc7235). – DaSourcerer Aug 10 '17 at 15:32
  • @DaSourcerer Its been a while I looked into this matter, but did verify the implementation in Spring framework (for both Basic authentication and x-auth-token) and it stands correct. – user18853 Aug 11 '17 at 11:05
  • 6
    Ah, my bad. I didn't realise this question had been specific to Spring; I simply assumed the general case. – DaSourcerer Aug 11 '17 at 11:10
1

In case of normal "Basic" Authorization, you need to provide a string like this

"Basic " + Buffer.from("username:password").toString("base64");

For client-side JavaScript you can check window.atob() function to encode a string in base64.

And in case of X-Authorization the user has to pass their username/password to the server for the first time and server responds with this X-Authorization token, after that every api-calls the user does(in that session), it only uses that X-auth token and not their credentials.

Raj Karmakar
  • 11
  • 3
0

[Solution] When you get the below response you have to put the "Bearer" as a prefix with the Outh token.

{    "errorCode": 401,
"errorDesc": "Full authentication is required to access this resource",
"_userDesc": "Unauthorized"}

Should be the Authorization header as below

Bearer  eyJraWQiOiJrOTgwMy4xNTk5ODQyODg3IiwiYWxnIjoiUlM1MTIifQ....

Issue will be resolve.. Thanks

Thilina Chamika
  • 206
  • 3
  • 4