General question on authentication - Basic vs bearer token
Thursday, March 21, 2024 at 09:11amIn looking at the API reference as well as playing around with the calls in Postman, while Onespan guides users to create a bearer token, often they're not using it, instead passing the API Key in basic authentication. Why is this? What is the best practice generally on what authentication method to use? As elsewhere I presume bearer token method is superior but unable to determine whether it's always supported throughout OS REST API?
Thank you!
Reply to: General question on authentication - Basic vs bearer token
Thursday, March 21, 2024 at 10:08amHi Kirk,
Before we discuss further about the advantages of using Basic vs Bearer token, I'd like to share some information about the new feature planned in roadmap - The client app token API (POST /apitoken/clientApp/accessToken) you may have already learned from this blog didn't restrictively follow the oauth2 API standard and thus can't be directly used by RESTful tool like Postman or Spring RestTemplate. However, to mitigate this painpoint, OneSpan Sign is introducing a new API following the OAuth2 Client Credentials Grant Flow, below screenshot gives you an idea how it would look like in UI. The feature should be planned in 24R2 release, please check in Trust Center for the detailed release date.
On top of that, below are some general pros and cons of using each authentication method from my understanding:
Basic authentication: Basic Authentication is straightforward to implement, however from the security perspective, OSS doesn't support to rotate the password in a self-served manner.
OAuth2 authentication: In this sense, I believe OAuth2 is more secure than Basic authentication. However if you are not developing with OSS SDK, implementing OAuth2 could be slightly more complex than Basic, and you need extra efforts to handle the access token expiry refresh.
Duo