Why we chose "OAuth2.0" over other authentication methods?

Why we chose "OAuth2.0" over other authentication methods?

Hello everyone!

While there are various authentication methods available for REST APIs, we use OAuth2.0. In this article, we are going to discuss the most popular authentication methods, their pros and cons, and the reason why we chose OAuth2.0 over other authentication methods.

As the name suggests, HTTP basic authentication is the most simple and straightforward form of authentication, and hence most vulnerable. In this authentication method, the user passes the username and password along with every API request.

Pros: 
  • Implementation of HTTP basic authentication is quite simple since there is no encryption/tokenisation involved. 
  • Compared to other authentication methods, the HTTP basic authentication is faster. 
Cons:
  • The lack of encryption makes it most vulnerable to security attacks.
  • Every API call can be a target for cleartext credential theft, not just an initial login request.
  • Since the same username and password will be used for product login, in case of a security breach, all your data will be compromised.
  • To recover from a security breach, you must update your password and update the same in all your API code, which is tedious.
  • The server cannot grant/revoke access to specific resources. In other words, you cannot apply scopes. You can only grant full access to all the resources.

2. API Key Authentication
API key authentication is an advanced form of basic HTTP authentication. In this method, when a user logs in for the first time, the server generates a unique key (string value) and assigns it to the user, known as the API key. The user must pass the API key with every API request with which the server verifies the identity of the user.

Pros:
  • Comparatively more secure than the "HTTP basic authentication", since the username and password are not passed as such, with every API request.
  • Unlike HTTP Basic authentication, API keys provide access to specific resources. In the case of a security breach, only a specific set of data will be compromised. 
Cons:
  • API keys are vulnerable to security attacks. They can be stolen and misused.
  • To recover from a security breach, you must regenerate the API key, and update the same in all your API code, which is tedious.

3. OAuth2.0
OAuth2.0 is an industry-standard protocol specification that enables third-party applications (clients) to gain delegated access to protected resources in Zoho via an API. 

In this method, the client app requests the authentication server for access to specific resources and receives a grant token in return. Further, the grant token can be used to generate access and refresh tokens. The access token is used to access resources. It is valid only for a set amount of time. Once the access token expires, new access tokens can be generated using refresh tokens.

Pros:
  • Using OAuth2.0, you can verify the identity of the client and also provide delegated access to each resource. Thus, allowing you to both authenticate and authorize.
  • Comparatively more secure than "HTTP basic authentication" and "API key authentication", since it does not involve username-password or static key.
  • OAuth2.0 uses scopes to ensure limited access to sensitive data. The grant token is generated to access a specific set of data, defined by scopes.
  • You can revoke the tokens any time, thus restricting the client's access to sensitive data.
  • Each access token is valid for only an hour and can only be used for operations defined in the scope.
  • OAuth2.0 can be easily scaled to a multi-user environment without any hassle.

Cons:
  • It is complex to generate tokens. Since the tokens are valid only for a short period, the developer must regenerate the access token using the refresh token.

Clearly, OAuth2.0 is both scalable and secure. Although it is complex, because of its other advantages, we chose OAuth2.0 over other authentication methods.

Cheers!