5

I am building a REST API which needs to be reasonably secure - no payment details are passed, but I want to ensure accounts don't get hijacked, for instance.

I have looked at implementing 2 Legged Oauth, but I can't see any real advantage to just using basic auth over SSL (with a high entropy programmatically generated API key as the password)

Are they any scenarios where 2 Legged Oauth is more secure than HTTP basic auth over SSL?

Improve this question

1 Answer 1

Reset to default
2

HTTPS is the complete HTTP data sent over a SSL connection.
The data sent through the HTTP basic auth is also encrypted if you use HTTPS.
Basically, so it should make no difference.
Bad could may be that you have to store the password on the client computer with HTTP basic auth.
With oAuth far as I know only a token is stored.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Any data over HTTP is not encrypted by default even when using Basic Auth
If you use HTTPS all HTTP data gets encrypted - even the http basic auth. HTTPS is not an own protocol its just HTTP over SSL.
Now that you have rewritten your answer I've removed my -1
Not sure that helps answer my question - are there any scenarios in which 2 legged Oauth would be more secure?
Its possible. Is it a desktop application? If the client pc gets infected by a trojan or so its maybe possible to read the password in plain text. If you use oAuth far as I know only a token is stored so the hacker dont get any passwords.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.