Basic Authentication with a Guid token for REST api instead of username/password

Overview

I am developing a mobile application using PhoneGap with REST API for the backend. The REST API won't be utilised by third-party developers, but will be application-specific, so there is no need for oAuth to be implemented. Hence, I am planning to use Basic Authentication where in the User enters their Username/password to access the API resources. All API communication will be on SSL.

Basic Authentication with Token

Instead of letting the application store the username/password and send it with every request to the API, I would rather authenticate username/password on the first login request and send a GUID token back. The client stores this GUID token and sends the token back to the API with each request through the Authorization header, like this:

Authorization: Basic e1d9753f-a508-46cc-a428-1787595d63e4

On the server side, the username/GUID combination will be stored on the server with a expiration date along with device settings. This will allow to keep track of the number of devices a user has logged in from as well as expire the session once the Guid has reached expiration.

Does this approach sound reasonable and secure?


The general "Authentication with Token" approach is very good but you shouldn't try to make Basic Authentication work in different way than it is supposed to (after all it is a defined standard). You should rather use your own header for authentication purposes. You can find a very good description of such scenario here:

  • Making your ASP.NET Web API's secure

  • There is no need for you to create custom headers or authentication schemes at all.

    The Bearer authentication scheme is designed exactly for your use case:

    Authorization: Bearer e1d9753f-a508-46cc-a428-1787595d63e4
    

    Basic authentication must be as follows:

    Authorization: Basic base64EncodedUsernameAndPassword
    

    where base64EncodedUsernameAndPassword is equal to the output of:

    base_64_encode(username + ':' + raw_password)
    

    Do not use Basic if the trailing text value is not the above exact algorithm.

    If you just want to put whatever value you want after the scheme name, use the Bearer scheme - that is what it was invented for.

    Warning

    While you can use a simple GUID/UUID as your token, this isn't really a secure token. Consider using a JWT instead. JWTs can be digitally signed and assigned a TTL so that only the server setting it can a) create it and validate its authenticity and b) ensure it is not used longer than is allowed. While this may be true of your data stored based on the GUID, the JWT approach does not require server state - so it scales far better - and accomplishes the same thing.

    链接地址: http://www.djcxy.com/p/22050.html

    上一篇: 针对Web应用和移动应用的REST API身份验证

    下一篇: 使用REST API的Guid令牌进行基本身份验证,而不是用户名/密码