Api credentials via HTTP Auth, good idea?

Question

I'm developing a web API for my own services. Since the API will be restricted to a set of special users I need to validate credentials.

I have seen many examples from payment gateways like Stripe, and they use a simple way to authenticate users: using an https website they send their user 'token' via http auth, and the request data as GET/POST parameters. This user token is generated one for every user and can be re-generated at any time.

Is this a secure way to allow access to my API? It seems very simple to implement, but I cannot see a flaw in it or maybe I'm missing something? Maybe using some asymmetric crypto is more secure?

Thanks!

Answer 1

In order to authenticate, you have to provide to the API something which is shared between your API and the users. It could be:

• a login and a password. This is a bad idea as they are not as simple to revoke
• a token. Have a look at how Google uses JWT, this is a good implementation.
• a TLS client certificate. This relies on, the layer right before your application (TLS) to authorize specific clients. It is more complicated to put in place as the API must query the PKI in order to identify the client.

I would go for the token based authentication. It requires some work in order to have a functional console where clients can get their token but it is ultimately better aligned with the authentication standards (and flexible enough to use client oAuth if needed one day)