I have an implementation for an internal API, the requirement is to implement some sort of basic authentication instead of oauth (generating a token).

Do you think there’s any difference between using just an API key vs using a client id + secret?
For what I see it’d be just like saying “using a password” vs “using a user and a password”.

  • @[email protected]OP
    link
    fedilink
    English
    21 year ago

    Oh, yeah, I had forgotten about this kind of attack.

    Do you think this is a concern if the calls are only meant to be done in an internal network?

    • @TootSweet
      link
      English
      41 year ago

      I’d consider it a concern if I was in your shoes, yes. Mostly for the reasons jflorez mentioned.

      Major security breaches wherein an attacker gained has access to an internal, private network happen not infrequently. Target (the retail chain) leaked a ton of their customers’ credit card to attackers over the course of (IIRC) months. The attackers couldn’t have done it (at least not in the way they did) without first breaching Target’s private corporate network.

    • @[email protected]
      link
      fedilink
      English
      21 year ago

      Never underestimate the risk of an attack coming from the inside.

      Also once you have an implementation with a certain kind of authentication other devs are likely to copy what you have successfully deployed and then your security assumptions will make it into public facing code without much consideration