Basic Authentication¶
links: SPA TOC - Identification Authentication - Index
Basic Authentication¶
- It's a simple authentication scheme built into the HTTP protocol to transfer username and password with each HTTP request
- Transmits the string 'username:password' in cleartext (Base 64 encoded) \(\rightarrow\) needs to use TLS
- Rarely used anymore, mostly replaced by form-based authentication
- Most APIs that use Basic Auth provide server generated tokens / passwords which replace the base64 encoded 'username:pw'
- higher entropy
- possible to create separate access token for separate applications
- revokable
- scope-able
How it works¶
- Server sends status 401 Unauthorized with a challenge:
WWW-Authenticate: Basic realm="Wallys World"
- The client concats username and pw: "username:pw"
- Base64 encode the string
- Put the resulting base64 in the authorization header:
Authorization:Basic am9objpwYXNzd29yZA==