Experiments

HTTP_Authentication

2 min read

HTTP Authentication

Basic Authentication

  • It is aimed for username/password authentication
  • It should be used in HTTPS(SSL)
  • The following header is sent
Authorization: Basic Base64Encoded(username:password)

Bearer Authentication (aka Token Authentication)

  • Give access to the bearer of this token
  • It was defined in OAuth 2.0 spec
  • It should be used in HTTPS(SSL)
  • The following header is sent
Authorization: Bearer <TOKEN>

API Key

  • can be put in query param, header, body etc.

OAuth 2.0

  • primarily used to make authentication to third party websites and provide info, for eg. using facebook login in some third party website.

  • tokens:

    • access token: sent like an API key, it allows the application to access a user’s data; optionally, access tokens can expire.
    • refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired.

  • OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.

  • The OAuth framework specifies several grant types (or OAuth 2.0 Flows) for different use cases

    • Authorization code
    • Implicit
    • Hybrid
    • Client credentials
    • Resource owner password
    • Device flow
    • Refresh tokens
    • Extension grants

OpenID Connect

  • OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.

More topics

OAuth SAML SSO