restauthenticationcoldfusionrestful-architecturetaffy

How to pass additional data to restful API Basic authentication


I am developing my first restful API for a project.

I understand and have gotten the basic authentication to work properly, using the format Basic username:password where username:password is Base64 encoded.

Currently, we pass a user's email address in the 'username' field and their password in the 'password' field.

The problem is that the email address is not unique in the application. It is unique per Organisation within the application.

So in order to log the user in successfully, we need to pass another value to the API which indicates what the organisation is (the idea would be to pass along a key that would be used to look up the organisation)

My issue is that the basic authentication process only allows you to pass two values (username,password), whereas I need to pass three. Is there a way to pass more data to the basic authentication process? Or do I have to use some other type of authentication to achieve this?

My idea was to modify the basic authentication so that it takes three values, for example: username:password:orgkey I don't know if that is allowed or goes against the protocol for basic authentication though?

Although this question really is language independent, for the record I am using Coldfusion and the Taffy plugin.

Any guidance would be appreciated.

Thanks


Solution

  • Basic authentication is not a good protocol for securing web APIs as I tried to explain in my answers here and here.

    It's okay to support it for things like test automation etc, but I would not use it in production. You will have a hard time keeping the password secret as neither JavaScript nor mobile clients can be trusted to keep secrets.

    It's not clear to me why email addresses are not unique across organizations. Are you not sending the part after the at-sign ('@')?

    You cannot introduce another field in the basic authentication credentials field. According to RFC7235, the credentials field can only contain:

        credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
    

    I would look into a security token based authentication scheme like using JWT tokens.