0

With both approaches I use SSL.

Both seem the same secure to me. But if SSL breaks there are differences.

1) basic auth: Without SSL someone can fish the username+password and use it forever.

2) token auth: Without SSL someone can do a man in the middle attack and steal my token and just use it but only for the a certain time period I would say e.g. token creation date + 8 hours and every request with that token is invalid as the token is invalid.

Are there any more advantages from token based auth vs basic auth?

Pascal
  • 12,265
  • 25
  • 103
  • 195

1 Answers1

1

One of the main advantages of using the authentication token (eg OAuth2) is that the client application does not need to save the credentials locally. The client application sends the credentials once for the initial login, then forget them as long as you do not need to re-authorize the application, when the client application prompts the user to enter again.

In contrast to the version 1 OAuth2 does not require you to sign the request; bearer token can be used as long as it is valid without any measure, this may seem like a safety issue but the process takes advantage of simplification.

Marco
  • 1,642
  • 3
  • 16
  • 29
  • Why do I have to store the credentials locally using basic auth? You mean for every server request I have to send the credentials wether I am already authenticated or not? – Pascal Dec 27 '13 at 21:30
  • 1
    Yes, the BASIC authentication requires each request to send username and password. – Marco Dec 27 '13 at 21:42
  • BUT I do not have to store it locally like localstorage (even that would not be that bad) I just save it in a variable. That someone can use read my username/password he must hijack my pc first then the browser thats very unrealistic IMHO. – Pascal Dec 28 '13 at 10:22
  • 1
    Of course, this is what the browser does. But if your client application wants to keep the session between two executions will necessarily save the credentials somewhere. Think of the mobile application, for example. – Marco Dec 28 '13 at 13:57