API Version 2 Authentication

0

I'm exploring the version 2 LoadMaster API and was wondering if anyone can offer further info on the decision to have authentication tokens in the body as opposed to a header (basic/bearer)?

4 comments

Avatar
Nick Smylie Official comment

Hi @colin,

For external clients basic auth is frequently cited as being very weak.  A lot of the focus is that the username and password are on the wire for EVERY request.  By moving away from that to tokens ( like cookies ), you have a little more security by reducing the surface for when a password is available, being transferred.  The flow is simplified also the client does not need to request cert.

Any more questions please let me know.

Avatar
0
colin

Hi @Nick,

 

Thank you for the info. I had a feeling it was for security reasons. I'm guessing using a 'Authorization: Bearer {token}' header would fall under the same security concerns?

The reason for my inquiry is that it's a little finicky developing a client (Go, Python) when the token is inside the request body itself along with the parameter data. 

 

Avatar
0
Nick Smylie

Yeah I would say same reason using a bearer token is the same thing.

As for your other concern I can pass that info a long to my devs.  This is of course new and a beta product so any feedback is very much appreciated. 

Avatar
0
colin

Thanks Nick.

Appreciated. I'll post any other feedback while exploring the v2 API.