Moving to a Modern Authentication Method

There are security issues with both digest and basic auth. Also, these old systems preclude support for non-ASCII characters in usernames (I think). It would be good to move to a modern token-based system.

I see that OpenRosa requires support for basic and/or digest.

Could we not add token-based alongside and if both the client and server support it, that's what gets used?

I'm generally in favor of an improved auth method, but I think we do need to understand the details.

  1. What precisely you mean by token-based auth (e.g., OAuth, HTTP Token, JSON Web Token). If you have a link to something that describes the concept at high-level, that'd be ideal.

  2. What are the specific security issues with digest and basic that you want to avoid?

  3. Non-ASCII usernames would be nice, but what are the other big pros that would drive this change?

  4. And what cons can you think of?

Here is a description of the benefits of token auth.

I am not especially wedded to any particular standard. Perhaps whatever there is good API support for in Android?

Here is a good post on the security issues with Basic auth over HTTPS (nobody should be doing any kind of auth over HTTP at all, so no point in even talking about that, right?)

Digest auth is not much different from Basic in these respects I believe.

The bottom line is that Basic over HTTPS is not horrible but it's old and it has a larger-than-necessary attack surface (sending the password with every request). Seems like it's time to upgrade.

1 Like

I would support adding this as a third authentication strategy requirement for the clients (Collect, Enketo, etc) and as a strong suggestion for the servers (Aggregate, etc). With that framing, currently-existing servers could interact with future clients (that would support token-based auth).

Ideally, it would also be possible for future servers that support token auth to interact with currently-existing clients that don't support it. I'm less sure about how this would be implemented given that currently-existing clients would know nothing about token-based auth. Is it possible? My memory on this is a little fuzzy but I think the server states which auth strategies it supports in its 401 challenge and then it's up to the client to pick which one it uses.

Typically, it's harder for organizations to update their servers and easier for them to update their clients so it's really important that client updates don't require server updates. I think it's somewhat more acceptable if a server update requires the clients to be updated but it would good to get some feedback on that.