#login credentials in req Headers or request body?

Hello! I'd like to know what is best way to pass user credentials from client to server to authenticate user? in custom headers like

"username": "[email protected]"

or in request body and why ?

<@&1004656351647117403> please have a look, thanks.

While you are waiting for getting help, here are some tips to improve your experience:

Use the authentication header

What are the advantages?

What if you have a request body

Then you need to somehow split the auth and the payload, and probably in two separate places

That way headers becomes better?

Yes

Using the Authorization header (or headers in general) is definitely the way to go here. Usually, if using the Authorization header, you'd encode your authentication data with Base64 and write "Basic: yourB64String" to the header.

There are a few reasons why this is preferable over the body. One of them was already mentioned by Seraphim, but also consider GET requests which do not have a body. To pass authentication information in a GET request, you have no choice but to use the headers.

Nothing the first page on Google wouldn't tell you

I think that GET isn't useful for authentication

I suggest to send custom headers : username and password in header

Do the encoding in server and send it back to client

But you'll lose out on the secure storage that authentication header gives you

He means for authorization

Yeah for the basic auth, I shall send my username and password encoded in bas64

In authorization header

I see this insecure

The client side may be controlled by anybody

How is using a custom header anymore secure?

How is it insecure? You won't use SSL?

I do but even with ssl the client side (frontend app) can be vulnerable

How can it be vulnerable?

The source code can be visualized

Yes but the source code doesnt contain anything sensitive

If we speak about basic auth, then yes , the code must have bas64 encoding mecanism to user credentials

The attacker can see how the authorization is done

??

Your Microsoft, discord, everything is done the same way

All those use the same mechanism for auth

I dnt think so

???

Basic auth has become the weakest mecanism

They are using basic Auth for everything

Except for exchange online

You're misunderstanding basic Auth

You can send the username/password in plaintext, it's not the header that is the problem

Sure. it must be customized not the ordinary basic auth

SSL is what encrypts the data

Not the header itself

Yeah I know but there are other considerations

I suggest you to read the rfc description

https://www.rfc-editor.org/rfc/rfc7617#section-4

But I don't understand how using a custom header fixes it

By using custom header you secure the encoding

You're not though

And you dnt show it to attacker

The attacker will see all your headers

Unless you use SSL

I agree for ssl

That's all you need

I not talk about the flow between server and client!

What if the container of the app is already controlled by malicious entities!

Then the end users has a bigger problem with the security of their device

Yeah but thts possible

Yes but it's not your problem

I know but I can minimze the risks

So why not?

If an attacker has compromised a user's device, you can also assume the user is already authenticated and will make malicious changes on the users profile

Like they're not trying to steal the password because they already have access to the service

What if their device has a keylogger? You can't do anything, not your problem

What if their screen is being recorded? You can't do anything, their password has been captured

Your encryption should only be concerned about the data leaving the users device because that can be attacked by anybody over a network (doesn't even have to be the users network, the packet could get hacked on route at one of the hop destinations)

SSL will fix all of that

Dude I said I want to minimize risks

I know I cannot avoid risks at all

The point I'm making is that, using a custom header won't change anything

The value of a header can contain anything, you don't have to put "Basic base64" you can just do "mycoolencryption"

But devices by default store the authentication header in secure storage

You won't get that from a normal header

   passwords, it SHOULD NOT be used (without enhancements such as HTTPS
   [RFC2818]) to protect sensitive or valuable information.

Detected code, here are some useful tools:

Doesn't it literally say do not use this unless you have HTTPS

which you should have regardless

Hello guys! thank you for your participations

I've came to a decision, Oauth is better, recommended and very reliable

basic auth is just to learn or do internal security

As for credentials, its better for me to pass them in headers as they can be read easily in Spring filters unlike post body in json or else

I suggest to read the discussion in this thread

https://discord.com/channels/272761734820003841/1052838002491138098

@real bloom you've misunderstood

You still need to do basic Auth (or similar) via the authentication header

Then you'll get your oAuth token

Which is sent in the authentication header as a bearer token

I'm saying authentication but the actual key is Authorization

I'm getting you confused to that scrum master guy now tho 😂

And no, this is incorrect

I just noticed that discord uses the request body to send credentials!

Request URL: https://discord.com/api/v9/auth/login

Plaintext in the JSON, not even base64 encoded, protected by nothing but SSL

ok but as i know Discord impose to verify location at each time to enter

that way its authentication process is hybrid or customized

Github has abandoned basic auth
https://developer.github.com/changes/2020-02-14-deprecating-password-auth/

Oracle recommends to not use basic auth
https://docs.oracle.com/en/cloud/saas/marketing/eloqua-develop/Developers/GettingStarted/Authentication/authenticate-using-basic-auth.htm#:~:text=For security reasons we recommend authentication using OAuth 2.0. Learn about OAuth 2.0

RFC says : Its vulnerable to spoofing
https://www.rfc-editor.org/rfc/rfc7617#:~:text=Basic authentication is also,and feign an error.

Yes the RFC is talking about when you're being phished

But yes the articles are all correct but you still need to at least once in the process send the username/password to the server to generate a JWT

ofc !

The point is to not send the credentials repeatingly

But your OP question was asking how to do that

I was already under the assumption it was to do with the initial login 😔

my question is not about mecanisms

its: what is more appreciated way to pass credentials

now as I'm using spring security, I'm in charge to build custom filters to replace basicAuthFilter for custom token, otp etc..

I'm still gonna say the header because the auth header in web browsers is stored in a secure storage

So before the request is made, a hacker cannot just try extract the password

Since it's already stored safely

thats great and as it for native app

I guess it will more secured

That you won't need to worry about

You'll most likely be sending the password straight to the server once they press login

But before any communication happens, SSL will encrypt the network

So when the app does send the request, it will first encrypt the entire data before transmitting it over the network

So if a guy is standing next to your router and waiting for the data to be sent, he'll just see encrypted data that he cannot decipher without the servers private key

And these keys are generated randomly for each session

Using something like Diffie Hellman