Index

HTTP authentication methods

Is your API communication safe enough?

Josep Jaume Rey (@josepjaume) - Twitter, GitHub

Fact: API's are awesome

Question: How to intercommunicate your components?

Use an authentication mechanism

Round 1: HTTP's basic access authentication

  1. Client asks GET /secret
  2. Server: 401 WWW-Authenticate: Basic realm="Codegram"
  3. Client sends credendials:
    Client: basic-credentials = "Basic" SP basic-cookie basic-cookie = base64encode(username+":"+password)
  4. Server returns 200 OK with the document

Wrong!

Round 2: Use an API token in the header

  1. Client asks GET /secret
  2. Server: 401 WWW-Authenticate: Basic realm="Codegram"
  3. Client sends credendials:
    X-AuthToken = "secret_long_string"
  4. Server returns 200 OK with the document

Still Wrong!

Round 3: Combined with SSL

Hypothesis: If the channel can be trusted, then the underlying authentication mechanism shouldn't be something to worry about.

Wronger!

ZOMG so WAT?

HTTP Digest access authentication

  1. Client: GET /secret
  2. Server 401. sends:
    • realm: Authentication domain (codegram)
    • nonce (unique random value)
  3. Client request:
    • HA1 = MD5(A1) = MD5(username:realm:password)
    • HA2 = MD5(A2) = MD5(method:URI)
    • returns: MD5(HA1:nonce:HA2), realm
  1. Server can reproduce the same operations on its side.
    (it can store HA1 or MD5(password), etc - depends on the implementation)
    HTTP/1.0 200 OK
    next-nonce = "another nonce"

    Then, discards the nonce

Good!

Downsides

Extended version (qop)

Client adds these fields:

Those are added in the response hash: MD5(HA1:nonce:cnonce:nc:HA2), nc, cnonce

With qop-value = auth-int it also includes a hash of the request body.

Notes

Awesome!

Downsides

THE END

Further reading:

Use spacebar or the arrow keys to navigate
See all slides