I have created JWT based Authentication in my Web API application. I am not able to figure out the difference between
- Basic Token
- Bearer Token
Can someone please help me?
Add a comment
|
2 Answers
The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617).
The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750. Even if this scheme comes from an OAuth2 specification, you can still use it in any other context where tokens are exchange between a client and a server.
Concerning the JWT authentication and as it is a token, the best choice is the Bearer authentication scheme. Nevertheless, nothing prevent you from using a custom scheme that could fit on your requirements. But the custom scheme may be misunderstood by applications.
1 Comment
Hussain Akbar
Kindly explain your assertion that JWT is "best choice"
Basic authentication transmits credentials as user ID/password pairs, encoded using base64. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.
Authorization: Basic ZGVtbzpwQDU1dzByZA==
Note: For basic authentication, as the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS / TLS should be used in conjunction with basic authentication.
Bearer authentication (also called token authentication) has security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources:
Authorization: Bearer < token >
Note: Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
9 Comments
brain storm
so both these are authorization and not really authorization. In the first one, you send base64 encoded string and get authorized while in latter you get back a token and use it to access resource
Muhammad Umer
what's the advantage of passing token over username/password?
Mihai
@MuhammadUmer you can revoke the tokens and also grant them granular access (i.e. only read access).
Muhammad Umer
I found the answer and it was that you don't have to do db read with token you can use crypto to validate token, best for microservices which don't have shared session state, although there are load balancer which can fix one user to one service, but it's still performant.
Masoud
To me best answer. Just wanted to add in some scenarios, payment gateways for instance, you need both type of Auth, one step to authenticate with Basic information, and from there next communication would be with Brear ...Jwt.. token. the later jwt token comes from first returned access_key token.
|