Search code examples
authenticationdjango-rest-frameworkhttp-authentication

What is the motivation in using "Token" as authentication scheme in django rest framework?

Django rest framework provides a TokenAuthentication class for authentication. It validates against header in the format of Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b. The authentication scheme, Token, seems customarily chosen. The iana auth scheme registry's list of authentication scheme name does not include Token as of today (2019-12-20).

Two background RFCs not mentioned in the above iana link:

  • rfc-2616 mentions Basic and Digest Access only.
  • rfc-2617 mentions Basic is not secure

So my questions are

  • Is it a custom scheme, if so
  • How common is it to use custom auth scheme in Authorization header
  • What is the motivation in choosing Token as the scheme
  • What other libraries also use Token as the scheme

To complicate matter, django-rest-framework-jwt provides a JWT authentication class , which adopt JWT as the scheme. According to this question, the correct choice is Bearer

Solution

  • The IANA auth scheme is more recent (2014 on the linked document) that when the Token has been implemented (2012 according to this PR). Things have changed since but migrating would be a lot of work and there are better alternatives now.