1. HTTP (Hypertext Transfer Protocol)

  1. User Authorization and Authentication
    1. Mechanisms for Access Control
      1. Basic authorization
      2. Bearer authorization
      3. Cookie/form access control
      4. OAuth
      5. Proprietary mechanisms

User Authorization and Authentication

HTTP provides a standard way to authenticate the user issuing a request, and there are multiple standard ways to prove authorization.

Mechanisms for Access Control

This is a broad overview of different paradigms that control access to server resources and operations on them; including how a user is granted credentials, presents them to the server, and invalidates the credential when no longer necessary.

Basic authorization

The "Basic" authorization scheme is, as suggested, the simplest of the user authorization schemes. It allows a username and password to be presented to the server. The username and password is typically checked against the credential database, for example, an LDAP directory.

Bearer authorization

The "Bearer" authorization scheme grants authorization to requests that demonstrate possession of a bearer token, a secret string known only to the server, and an authorized user. Unlike a password, it is supposed to be a high-entropy value assigned by the server.

Cookie/form access control

The Cookie/form access paradigm uses HTTP's state management mechanism, Cookies, to associate requests to a session. The session in turn may be associated with a user, who carries authorization sufficient to carry out the request.

Using cookies for access control has significant security considerations; Web browsers will attach the cookie to all requests made to the origin server, even requests made by attackers. This means that additional mechanisms must be used to ensure the request came from the user, such as a CSRF token.

Additionally, since the Authorization is not used, this thwarts HTTP's security features built into caching.


Main article: OAuth

OAuth (specifically OAuth2, as opposed to OAuth 1) is a standard way to grant access to user resources to a third party.

Proprietary mechanisms

Several Web APIs deploy their own authorization mechanisms. This is not suggested because it is very difficult to engineer new secure authorization schemes, and user agents may not understand the nature of the data they are handling.