[ARIN-consult] Consultation on API Key Handling

Daniel Sheppard da.sheppard at uwinnipeg.ca
Fri Aug 9 12:59:45 EDT 2024


There is nothing wrong with Bearer/Token Authentication, which is a well defined standard and widely used by many frameworks.  "Authentication: Token XXXX" is not a "unique" model and I would say the simplicity of that is potentially more useful then moving to something like OAuth 2, JWT, or OpenID Connect.  The simplicity of token authentication is actually why it is fairly widely recommended over using OAuth 2.0 Token Access for programmatic access to a RESTful API.

You can use OAuth 2.0 to generate a token, but then your creds for generating that token are stored on your system, instead of just the limited access token itself.  In fact, RFC6750 specifies the use of "Authorization: Bearer" for API endpoint access.

TLDR; "Authorization: Token" is a valid, widely recognized "model" for REST API access.

From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of Jo Rhett
Sent: Thursday, August 8, 2024 6:48 PM
To: Chris Woodfield <chris at semihuman.com>
Cc: arin-consult at arin.net
Subject: Re: [ARIN-consult] Consultation on API Key Handling

You don't often get email from geek at jorhett.com<mailto:geek at jorhett.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Notice: This is external email. Verify the sender and use caution with any content.

Unless ARIN intends to release and maintain high-quality client software libraries in each of the top 20 programming languages,

...


I'm working on the assumption that the implementation will be no more complex than an "Authorization: Token XXXX" HTTP header, which is a well-established pattern for API authentication. If the implementation were to be more complex than that, I'd raise an objection as well.

There's no reason to build something raw and native. There are dozens of robust, well-tested security frameworks for authentication that are implemented by every platform and language already. OAuth 2, JWT, OpenID Connect, ...

Yes, those align with (but are greater than) plaintext headers. Don't go creating a unique model unless none of the well-established, widely used frameworks won't meet the needs.

--
Jo Rhett


--
Jo Rhett

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20240809/bb1fbd89/attachment.htm>


More information about the ARIN-consult mailing list