stackoom
  简体   繁体   中英

How to pass additional data to restful API Basic authentication

 原文  2015-07-31 17:39:05       rest/ authentication/ coldfusion/ restful-architecture/ taffy

Question

I am developing my first restful API for a project.

I understand and have gotten the basic authentication to work properly, using the format Basic username:password where username:password is Base64 encoded.

Currently, we pass a user's email address in the 'username' field and their password in the 'password' field.

The problem is that the email address is not unique in the application. It is unique per Organisation within the application.

So in order to log the user in successfully, we need to pass another value to the API which indicates what the organisation is (the idea would be to pass along a key that would be used to look up the organisation)

My issue is that the basic authentication process only allows you to pass two values (username,password), whereas I need to pass three. Is there a way to pass more data to the basic authentication process? Or do I have to use some other type of authentication to achieve this?

My idea was to modify the basic authentication so that it takes three values, for example: username:password:orgkey I don't know if that is allowed or goes against the protocol for basic authentication though?

Although this question really is language independent, for the record I am using Coldfusion and the Taffy plugin.

Any guidance would be appreciated.

Thanks

1 answers

solution1
 2 ACCPTED  2015-08-01 02:24:09

Basic authentication is not a good protocol for securing web APIs as I tried to explain in my answers here and here .

It's okay to support it for things like test automation etc, but I would not use it in production. You will have a hard time keeping the password secret as neither JavaScript nor mobile clients can be trusted to keep secrets.

It's not clear to me why email addresses are not unique across organizations. Are you not sending the part after the at-sign ('@')?

You cannot introduce another field in the basic authentication credentials field. According to RFC7235 , the credentials field can only contain: 

    credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

I would look into a security token based authentication scheme like using JWT tokens .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to pass basic authentication to API call in robotframework Restful api how to pass info after basic http auth Design of Restful API with HTTP Basic Authentication How to pass data in restful api in angularjs How to use RESTful with Basic Authentication in Spring Boot RESTful service basic authentication How to implement restful API with additional noun for entity How to get data from rest api which has basic authentication? CXF RESTful Client - How to do basic http authentication without Spring? How to make a RESTful call using Basic Authentication in apache camel?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM