Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to build an API that uses HTTP Basic Auth, but to do this I would need the client to store the user’s password in plain text and then send it along with every request. I really don’t want to do this.
I can’t use OAuth for this API, or have the client register their app to use the API.
Any suggestions on alturnative methods of authorisation?
What is your threat model? In other words, what are the risks you are trying to address?
If you are worried about sending credential in plaintext, you can use SSL with HTTP Basic Auth. Also, you can look into –
1) Using digest authentication
2) SSL Client Certificate authentication (this may not work because you said you cannot register app id.. and for cert auth to work, you need at least public key of cert you want to authenticate
3) If it is internal app, you can use kerberos (Windows) authentication