Authn Methods
The below explained are the best practices of REST API Authentication methods.
Basic Authentication
HTTP Basic Authentication isn't suggested because of its inherent security vulnerabilities.
This technique doesn't need cookies, session IDs, login pages, and alternative such specialty solutions.
curl "https://example.com/" \
-H "Authorization: Basic bXlVczNybkBtZTpteVA0c3N3MHJk"
Bearer Authentication
The bearer token permits access to a precise resource or universal resource locator and presumably could be a cryptic string, sometimes generated by the server in response to a login request.
Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlE1QVdrc1dIVmEiLCJ0eXAiOiJKV1QifQ.eyJwaWQiOiJ1cy13ZXN0LTI6ZmQ3NGQ1ZmItNGMzMS00OWYyLWIwNDUtMjVjNmRiMWNiN2IzIiwidWlkIjoiWm1RM05HUTFabUl0TkdNek1TMDBPV1WFhNjEtYjRjZjI0MGQ0ZDFlIiwiaWF0IjoxNjU4NjEzMTE4fQ.FegjkNUl9eiDBFH4tm5Z9jKSLwyR2x_TEi16BBQj_axHaC52CaCseSeShqy485bzoNFnxdNR616u_fih_Lp5q25JFHpZxrWdyP4rxxpjXxdr_ErMlb...
API-Keys
-
This method normally has an expiration date.
-
The problem with this method is that gives access to all operations which API can do (CRUD).
-
API keys identify projects, not users.
FxVxpK4CUiFqNgMFrb854sOh4qXFykra
OAuth (2.0)
OAuth2 combines Authentication and Authorization to permit additional subtle scope and is designed to grant access to resources set like:
- remote API
- user's data
The previous versions of this specification, OAuth 1.0 and 1.0a, were far more difficult than OAuth 2.0
OpenID Connect
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
How to Select the Right API Authentication Method
Selecting the authentication method that is best for a particular API comes down to the level of security that’s required to validate clients versus the ease of implementation and maintenance.