Web API Authorization Basic vs Bearer vs Digest

 

<HTTP Basic Authentication>

The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617). Implementation of HTTP Basic authentication is the simplest technique for enforcing access controls to web resources because it uses standard fields in the HTTP header, removing the need for handshakes, and it doesn't require cookies, session identifiers, or login pages. 

 

<HTTP Bearer Authentication>

The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources : Authorization: Bearer <token>

 

<HTTP Digest Access Authentication>

Digest Access Authentication uses MD5 hashing to ensure that no usernames, passwords, HTTP methods, or requested URIs are sent to the server in plaintext. HTTP Digest access authentication is a more complex form of authentication because for every call needed, the client must make 2. But, though Digest uses encryption, it's still vulnerable to main-in-the-middle attacks.

 

<Reference>

dev.to/caffiendkitten/authentication-types-3984 (좋은내용이 많아 추가로 더 참고해야할듯하다)

 

swagger.io/docs/specification/authentication/bearer-authentication/

stackoverflow.com/questions/34013299/web-api-authentication-basic-vs-bearer#:~:text=2%20Answers&text=The%20Basic%20and%20Digest%20authentication,is%20described%20by%20the%20RFC6750.

Web API Authentication Basic vs Bearer