Every application either exposes REST API or is consuming REST API. I am still amazed HTTP Basic Auth is the most commonly used authentication method to access REST API. What is wrong with that..? Its simply because you don’t have control over how your API will be used.
REST API with Basic Auth = Insecure clients
Its much easier to claim that your API is secure because it has HTTPS (lets not even go whether or not its TLS 1.0 /1.1/1.2) and requires username and password.
Basic Auth as easy option / band aid “Bolt On” security
I am still surprised to see REST API that is part of a platform, software ( closed or open source), etc. tend to start with username and password and other options are usually hidden or have to be customized.
If you are asking the question of why should API support Tokens as default mechanism, answer is very simple — can you control how your API will be used? One has to think about how any API that is exposed will be consumed by the clients. When you ( i.e. you or your organization) don’t have control over the client applications, it is time to step back and think how can you secure the end points with “Tokens”.
Any open source software that exposes REST API should by default accept token and have a plugin mechanism to support various token formats.
Let’s not hide behind Firewall or documentation:
Its not my responsibility :
Yes it is true that it is not the responsibility of the service provider to ensure client applications follow the security best practices. I often hear answers from engineers such as “Service only supports Basic Auth” or “Password is stored in JS file…” or “We capture the password on the client and is encrypted”. The later part is usually followed by “Oh..it is encrypted and encryption key is hardcoded in the code”.
Building Security Within:
Secure software starts with having constraints within software to force security best practices. Let’s try to stop writing documents on how to secure and rather have security best practices as default. One can jump through hoops to build insecure applications if they decide to. Would love to hear your thoughts on this.