Hey, nice write up. As you said in the article it is a controversial topic and I definitively see that "bandwagon effect" when it comes to using OAuth in favor of Basic Auth. One thing I'm a bit worried about, though whenever I use Basic Auth is the longevity of it's credentials. The lack of tokens automatically means that as long as the dev does not implement some "credential rotation" mechanism (carried out either manually or automatically) leaked credentials become a long lasting problem.
OAuth is not perfect by any means but this scares me away from Basic Auth a lot. Especially given the fact that those "leaks" might go by unnoticed. Using some authentication mechanism with short-lived tokens mitigates this risk at least in the long run as leaked tokens will just expire.
1 comment
[ 2.9 ms ] story [ 11.3 ms ] threadOAuth is not perfect by any means but this scares me away from Basic Auth a lot. Especially given the fact that those "leaks" might go by unnoticed. Using some authentication mechanism with short-lived tokens mitigates this risk at least in the long run as leaked tokens will just expire.