Hacker News new | ask | show | jobs
by ksri 3334 days ago
Author here. The doc does acknowledge basic auth as a valid approach for server side usage, but the language was a bit too pessimistic about basic auth.

I just modified it to say the following

    If you use HTTPS, then basic authentication is a good choice for server side only applications. It is the easiest to get started, and is well supported by clients and server frameworks.
3 comments
sjtgraham 3334 days ago
Basic auth is only OK if you don't have :80 open. Clients will send the creds over the clear to :80. It doesn't matter if you reply with a 400, the creds are already compromised at that point.
link
JimDabell 3333 days ago
Even if you don't have :80 open, that doesn't mean there isn't a MITM that would accept the connection instead of you.
link
willstrafach 3333 days ago
As long as https:// prefix is used, this is not true, MITM cannot downgrade that.
link
beaconstudios 3333 days ago
plus a HSTS header for any type-in traffic.
link
theandrewbailey 3334 days ago
As a rule, HTTP basic auth is inappropriate without SSL, even for intranet apps. An office could easily have an insecure Wifi point, and someone sitting outside running Wireshark.
link
willstrafach 3333 days ago
Also important to note that even on secure Wi-Fi with WPA2, if the attacker knew the password to the network they can just as easily sniff such plaintext ocontent.
link
euyyn 3334 days ago
It prevents delegation, though, which is an important use case for some APIs. As in "I want this third-party service to read my calendar from another server, but I don't want it to hijack my account, and I want to be able to revoke its access later on."
link
thwarted 3334 days ago
That's an implementation detail of how the credentials are created, managed, interpreted by the server, and their use reported on to the user, none of which is specific to the credentials transport or encoding, which is all basic auth is. The thing to be aware of is how different HTTP clients, specifically user-interactive browsers, use (apply and remember) the credentials.
link
euyyn 3333 days ago
If you reinterpret Basic auth as "send a token that's not the user's password in the Authorization header", you're just doing OAuth 2 but writing "Basic" instead of "Bearer".
link
vetinari 3333 days ago
And if you dig deeper in this direction, you will find yourself Greenspunned into Kerberos.
link