This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is there an Apigee policy for HTTP Digest access authentication?

Posted on 07-01-2016 01:06 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We had a security audit, and one of the recommendations* is that we stop using HTTP Basic Authentication, which sends username (consumer key) and password (consumer secret) with basically no protection over the wire (just Base64 encoding). However, we're using *only* https endpoints and SSL, thus our traffic is encrypted even when using Basic Auth. Therefore, I'm wondering if the security firm's recommendation even makes sense.

I searched the Apigee documentation at http://docs.apigee.com/api-services/reference/, but did not see any built-in support for HTTP Digest access authentication.

What would be the easiest way to implement this for our proxies?

* Recommendation:

Implement an authentication mechanism that does not include the username and password in clear text in the HTTP headers. For example, HTTP Digest authentication uses cryptographic techniques to avoid directly exposing the user's password in HTTP requests.

0 2 817
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
anilsr
Staff
Reply posted on --/--/---- --:-- AM

@Aaron Shaver ,

Security recommendation is debatable, On one side we see articles like Why i Love Basic Auth & on another side we see how token-based authentication (oAuth) has its own advantages. Actually, this article sums up Basic Auth vs HTTP Digest very well.

Who will have a say & upper hand in this debate ? Obviously, Security Audit Team 🙂

Coming to the securing APIs, I have seen many customers using oAuth extensively when it comes to securing APIs exposed to the public. I believe oAuth2 is industry-adopted security policy. Saying that, recently we have seen many implementing advanced security extensions like JWT, HMAC, HTTP Signatures, etc in Apigee Edge.

Coming to your question, Any built-in support for HTTP Digest access authentication ? Answer is NO, We don't have out of the box support.

Can it be implemented in Apigee Edge, Definitely, YES. Using java callouts / custom implementation.

One more article that clearly tells how to implement same here & comparison between Basic & Digest Auth.

So, Summary :

SSL is the most modern and secure method of sending user authentication data over the public Internet. But when SSL is not available, please use Digest over Basic authentication.

Posted on --/--/---- --:-- AM
Not applicable
In response to anilsr
Reply posted on --/--/---- --:-- AM

Thank you!

0 Likes