HTTP Basic Authentication comes into the picture in the context where the traditional cookie/session based authentication is no longer sufficient. This insufficiency detected when the RESTful web services are becoming popular and when it comes to secure those REST endpoints.
Traditional form based authentication or cookie based authentication is not sufficient when it comes to secure REST Api(s). This is because form based authentication / cookie based authentication is most suitable for human interacted web browser based applications.
In REST Api world, we cannot guarantee that the client application is a human interacted, web browser based application. It can be standalone application, mobile application (Android/ IOS) or any other service level application hosted in server etc. In addition, session based authentication is stateful and server has an additional overhead of maintaining user sessions. But in REST Api, it does not care about tracking/maintaining user sessions for user requests. Each request is a just new request for the REST Api endpoint. HTTP Basic authentication is stateless and it does not keep a track of user sessions.
Cookie/Session Based Authentication:-
username password is submitted only in first time. After that a session will be created and session id will be stored in a client browser using a cookie. The cookie will be sent to the server along with subsequent HTTP Requests for the authentication/identification purposes. This is a stateful authentication mechanism. (session and cookies will help servers to keep a track of who you are)
In each request, username and password will be base64 encoded and will be sent to the server in Authorization header. Therefore in every api call, the base64 encoded username and password pair will be submitted. This is a stateless authentication mechanism. (server does not know you or remember you. You need to tell you who you are in each request)
Traditional Cookie/Session based authentication is not enough for securing REST Api
How Basic Authentication Works?
Basic Authentication flow
- User (who is unauthenticated) tries to access the protected/secured REST resource.
- Server examines that the request is from an unauthenticated user and it is for accessing secured resource. Server generates unauthorized response and send back to the client application saying that authentication is required.
- Client application receives the server response and identifies that authentication is required to access the requested resource. In addition, it identifies that supported authentication type is HTTP Basic.
E.g:- In server Response WWW-Authenticate: Basic realm=”spring-app”
- The client application prepare a base64 encoded string with username and password and include it in Authorization header. Then request the access for the protected resource along with the authorization header.
Syntax :- Authorization Basic base64encode(username:password)
E.g:- Authorization Basic YWRtaW46dGVzdDEyMw==
- In the server end, authorization header will be decoded using base64 and extract the username and password. Then the user will be authenticated with the available authentication provider.
- If the user request is authenticated successfully, the requested protected resource will be sent back to the client application.
Problem with HTTP Basic Authentication
The main problem with HTTP Basic authentication is that the password is transmitted in plain text. Even if it is base64 encoded, it can be easily decoded. Therefore basic authentication used if and only if transport layer security is provided. That means simply in HTTPS environment.
On the other hand, it is required to send username and password in each REST Api request (for a protected resource).
HTTP Basic Authentication is a very basic and primary level REST Api authentication mechanism. As i said earlier, it should be used only in HTTPS environment.
Hope this article gives you a good idea of what is HTTP basic authentication and how it works.