14

I have an API endpoint https://www.example.com/api/authentication which takes username and password as input and returns an authentication token.

In terms of passing username and password, I have two options (at least), namely:

  1. HTTP Basic Authentication (which passes credentials as part of HTTP headers)
  2. HTTP POST parameters

I understand that neither method provides encryption (hence the use of HTTPS/SSL). I also understand why using HTTP GET is is a Bad Idea.

Is there any real difference (aside from the fact that basic authentication feels more idiomatic) between the two methods?

Frank
  • 3,029
  • 5
  • 34
  • 43

2 Answers2

13

The difference is that basic authentication is a well specified challenge/response scheme that all browsers understand and it is the server that starts it by telling a client that it requires (basic) authentication for a realm. This triggers the browser to show a popup to the user to enter a name/password which it then passes in the headers as you described.

In your second example you have to do all that in your own customized way and create your own login form for the user (etc).

If you deduct this process to the single step of passing the username/password from the client to the server I have to agree that there isn't that much difference but basic authentication implies a bit more than just that.

Eddy
  • 5,320
  • 24
  • 40
  • I had not considered this since I am dealing with non-browser clients. Excellent answer. – Frank Nov 15 '11 at 20:57
  • 4
    Beware: The very significant problem is that it is very hard to get the browser to log off once the user has properly authenticated. On some browsers you need to close every single browser instance. IE has a proper means to log off see : http://stackoverflow.com/questions/31326/is-there-a-browser-equivalent-to-ies-clearauthenticationcache/8497804#8497804 but other browsers don't. – AnthonyVO Feb 17 '12 at 21:22
2

HTTP Basic authentication implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

Sarvesh Kumar
  • 21
  • 1