1

Each client has a private key, which they have to send to the server in a header in each request, like this:

X-MY-AUTH-CODE: {PRIVATE_KEY}

I've found a list about HTTP Authentication Schemes, but I have no idea, which one is this. What sould I write in the response header WWW_Authenticate, if a client does not provide a valid key?

Iter Ator
  • 8,226
  • 20
  • 73
  • 164
  • Sending the key as is in the headers is not safe. Maybe you are referring to client side tls auth ? link: https://stackoverflow.com/questions/2613649/what-are-the-best-practices-to-map-a-client-certificate-to-an-user-account – ofirule Jan 30 '21 at 23:46
  • @ofirule Why is it not safe? My api is only available with https. I am not referring to client side tls auth. I just need to identify that who made the request. – Iter Ator Jan 31 '21 at 10:51
  • 1
    Both Digest access authentication and basic access authentication don't send the password as is, in your case the key and the password are the secret you don't want to be exposed. You are probably vulnerable to repeat attacks, and maybe some other malicious stuff. In general I wouldn't implement my own authentication mechanism without some consulting – ofirule Jan 31 '21 at 11:15
  • @ofirule If the client is authenticated with a session cookie, they are vulnerable to the same attacks, right? That is also sent in a header – Iter Ator Jan 31 '21 at 11:32
  • The session should expire at some point, depend on the security model, https://en.wikipedia.org/wiki/Replay_attack#More_on_session_identifiers . Maybe you are right , I would at least ask for evaluation at: https://security.stackexchange.com/ – ofirule Jan 31 '21 at 11:43
  • @ofirule Thank you for the remarks. I will ask there. But as far as I know, if my api is only available with HTTPS, then it is not possible to eavesdropping on the conversation, and use repeat attacks. – Iter Ator Jan 31 '21 at 11:47

1 Answers1

0

the value can be anything that you want as long as the client can understand how to provide the authentication (the header in your case). I have answered a similar question before and this could help. HTTP 401 Unauthorized when not using HTTP basic auth?

Mike
  • 3,462
  • 22
  • 25