Skip to content

HTTP

HTTP Authentication

There are various kinds of authentication mechanisms you may use in HTTP.

Basic

Sends a base64-encoded username:password tuple in the Authorization header.

API Keys

This is an API-specific secret that only the client and server know. It's typically used to provide authentication to specific API paths.

Bearer

This is a type of token that grants access to the "bearer of this token." It's a string, normally generated by the server, that the client must send when making requests to the API.

OAuth 2.0

This is a more complex form of authentication that relies on authentication steps called "flows". The OAuth 2.0 server grants a token to a client that allows the client to access a protected resource on behalf of the owner, without having to know the owner's credentials.

Flows

A "flow" is a challenge the client must perform in order to get access to an access token. The various types of flows are:

  • Authorization Code: this is similar to how users use their Facebook or Google account to sign up for a web application.
  • Implicit: requires the client to directly retrieve an access token. Useful in cases where the access token cannot be stored locally (due to being easily accessible by a third party). Suitable for web, desktop, and mobile apps that do not incldue a server component.
  • Resource owner password credentials: Requires a username and password. Only suitable for trusted clients because the credentials are part of the request.
  • Client credentials: Intended for server-to-server authentications. In this approach, the client is acting on its own behalf instead of on behalf of another user. It allows the client to specify their own credentials so they can access resources that they own.

Digest

Similar to basic authentication, but it sends a hash of the username and password instead of a base64 encoded string (obviously base64 is easily reversible, while hashing is not).

Digest is susceptible to man-in-the-middle attacks where the attacker can request Basic authorization, then send a Digest authentication to the upstream server. It also provides no way for the client to verify the identity of the server.

Digest authentication allows the server to store the hash of username/passwords in a database instead of cleartext passwords, however if an attacker ever gains access to the database, they can send valid Digest authentications. This means that the password database must be protected as strictly as if it contained cleartext passwords.

AWS4-HMAC-SHA256

Text Only
Authorization: AWS4-HMAC-SHA256 
Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, 
SignedHeaders=host;range;x-amz-date,
Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

In this authorization scheme, the client calculates a signature that is based off of a defined set of headers that the client gets to choose. The server will re-create the signature using the headers specified in the request, and if the signature matches, the request is granted. The signature is thus based off of the private access key (whose name is provided in the Credential header, and whose value is known only by the client and the server, and whose value is specific to an AWS region), the headers specified by the client, and a hash of the request payload (if the s3:x-amz-content-sha256 condition key is provided).

In its essence, this scheme uses a shared private key to create a digital signature of the request, which allows both the server to verify the identity of the cleint, and it protects against MITM attacks (assuming the private key has not been compromised) from modifying the request. It's still recommended to use in conjunction with HTTPS.

The signed portions of the request are valid within 15 minutes of the original timestmap. This means that an attacker can re-use a signed request within 15 minutes and modify the unsigned portions. This is why Amazon recommends you always hash the contents, and as many headers as is practical.

SSSD

System Security Services Daemon provides a set of authentication and authorization services on Linux hosts, primarily used to authenticate/authorize user login to external services (such as LDAP), but can be used for other use-cases.