[ARIN-consult] Consultation on API Key Handling

William Herrin bill at herrin.us
Fri Aug 9 18:35:54 EDT 2024


On Fri, Aug 9, 2024 at 9:59 AM Daniel Sheppard <da.sheppard at uwinnipeg.ca> wrote:
> There is nothing wrong with Bearer/Token Authentication, which is a well defined
> standard and widely used by many frameworks.  “Authentication: Token XXXX”
> is not a “unique” model and I would say the simplicity of that is potentially more
> useful then moving to something like OAuth 2, JWT, or OpenID Connect.

Hi Daniel,

OAuth is one of those complex schemes that I personally don't like
working with. It usually gets used by presenting the core credentials
to get a token for each set of operations anyway, just with extra
steps for the programmer to deal with.

I've worked with JWT before and it scares me. The typical use is to
embed cryptographically authenticated authorizations within the token.
The client literally tells the server what it's allowed to do, so if
anyone ever manages to break the encryption you're wide open to the
world.

I haven't looked at OpenID Connect but it smells like a meta-layer on
top of the other two, adding more complexity.

I personally like embedding the shared secret in form-data. Yes it can
be logged if embedded in a GET request, but it's easy to debug via a
web browser and isn't recorded when embedded in a POST request. Server
logging can be turned off or modified to discard everything after the
"?" if ARIN is concerned about that aspect.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list