A developer prepares an API to be used by administrators. API requires username and password to be verified for validated access to data, however username-password combination of users must not be sent to the API service itself. Authentication and authorization will be provided over the same mechanism. Which authentication mechanism must be used by the API service?
Digest Access Authentication should be used by the API service. This method enhances security by avoiding the transmission of passwords in clear text. It employs a challenge-response mechanism that uses a cryptographic hash function, ensuring that passwords are never sent directly over the network, thus satisfying the requirement that the username-password combination must not be sent to the API service.
It should be OAuth Authentication . Correct Answer: A
RFC 7616. This method enhances security by avoiding the transmission of passwords in clear text. It employs a challenge-response mechanism that uses a cryptographic hash function, ensuring that passwords are never sent directly over the network.
While Digest Authentication hashes credentials before transmission, it still involves sending credentials in some form, which contradicts the requirement of not sending them to the API service.
Its A: OAuth authentication provides a secure method for authentication and authorization without exposing user credentials (username-password) to the API service. Instead, OAuth relies on access tokens issued by an authorization server after verifying the user’s credentials. These tokens are then used for API access, ensuring security while preventing direct transmission of username-password combinations.