Basic Authentication with a Guid token for REST ap

2020-02-02 04:26发布

Overview

I am developing a mobile application using PhoneGap with REST API for the backend. The REST API won't be utilised by third-party developers, but will be application-specific, so there is no need for oAuth to be implemented. Hence, I am planning to use Basic Authentication where in the User enters their Username/password to access the API resources. All API communication will be on SSL.

Basic Authentication with Token

Instead of letting the application store the username/password and send it with every request to the API, I would rather authenticate username/password on the first login request and send a GUID token back. The client stores this GUID token and sends the token back to the API with each request through the Authorization header, like this:

Authorization: Basic e1d9753f-a508-46cc-a428-1787595d63e4

On the server side, the username/GUID combination will be stored on the server with a expiration date along with device settings. This will allow to keep track of the number of devices a user has logged in from as well as expire the session once the Guid has reached expiration.

Does this approach sound reasonable and secure?

2条回答
男人必须洒脱
2楼-- · 2020-02-02 04:56

The general "Authentication with Token" approach is very good but you shouldn't try to make Basic Authentication work in different way than it is supposed to (after all it is a defined standard). You should rather use your own header for authentication purposes. You can find a very good description of such scenario here:

查看更多
混吃等死
3楼-- · 2020-02-02 04:57

There is no need for you to create custom headers or authentication schemes at all.

The Bearer authentication scheme is designed exactly for your use case:

Authorization: Bearer e1d9753f-a508-46cc-a428-1787595d63e4

Basic authentication must be as follows:

Authorization: Basic base64EncodedUsernameAndPassword

where base64EncodedUsernameAndPassword is equal to the output of:

base_64_encode(username + ':' + raw_password)

Do not use Basic if the trailing text value is not the above exact algorithm.

If you just want to put whatever value you want after the scheme name, use the Bearer scheme - that is what it was invented for.

Warning

While you can use a simple GUID/UUID as your token, this isn't really a secure token. Consider using a JWT instead. JWTs can be digitally signed and assigned a TTL so that only the server setting it can a) create it and validate its authenticity and b) ensure it is not used longer than is allowed. While this may be true of your data stored based on the GUID, the JWT approach does not require server state - so it scales far better - and accomplishes the same thing.

查看更多
登录 后发表回答