views:

26

answers:

1

My latest API is going to "ship" soon. Coming from a "release early and often" background, I'm planning to implement oAuth in a later release version.

What are the reasons why e.g. Twitter removes Basic Auth from its API? What are the pros and cons and maybe security implications using Basic authentication in any API?

Best
Henrik

+1  A: 

The possible (in my humble opinion) of why Twitter removed Basic Authorization is based on the fact that Basic Authorization is based on Base64 encoding. Basic Authorization header allows you to hash a string concatentation of username and password (separated by a colon).

e.g. (Pseudo-code, language independent)

String basicAuth = Base64Encode("username:password"); //where username is my username and password is password.
httpRequestHeader.setHeader("Authorization", "Basic " + basicAuth);

Eavesdroppers can intercept HTTP request, retrieve the Authorization header, and decode the Base64 encoded stream and get the user's username and password. The encoder/decoder code can be found anywhere on the internet.

Now, the eavesdropper logs in to Twitter using that username and password and becomes the "new" user (and changes the password so that the current user doesn't login anymore).

More or less, the pitfalls of Basic Authentication can be found here.

Secondly, Twitter wanted that authentication is done on the publisher site and not sent remotely via 3rd party client. OAuth provides such capability.

The Elite Gentleman