When an API requires that a client authenticates to it, i've seen two different scenarios used and I am wondering which case I should use for my situation.
Example 1. An API is offered by a company to allow third parties to authenticate with a token and secret using HTTP Basic.
Example 2. An API accepts a username and password via HTTP Basic to authenticate an end user. Generally they get a token back for future requests.
My Setup: I will have an JSON API that I use as my backend for a mobile and web app. It seems like good practice for both the mobile and web app to send along a token and secret so only these two apps can access the API blocking any other third party.
But the mobile and web app allow users to login and submit posts, view their data, etc. So I would want them to login via HTTP Basic as well on each request.
Do I somehow use a combination of both these methods or only send the end user credentials (username and token) on each request? If I only send the end user credentials, do I store them in a cookie on the client?
Best Answer
HTTP basic authentication requires the username and password to be sent with every resource request. The username:password is passed in the "Authorization" request header base64 encoded string prefixed with "Basic ". If all of your http communication is encrypted (via ssl) the Authorization header's information shouldn't be able to be easily used by attackers since it's unlikely that they'll be able to get a hold of it.
SSL encrypted http with basic authentication should be enough.