When looking at the differences between X-Auth-Token vs Authorization headers, which is preferred?

HttpHttp HeadersSpring Restcontroller

Http Problem Overview

What is the difference between the two headers below?
Which one is preferred?

  1. X-Auth-Token : dadas123sad12

  2. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Http Solutions

Solution 1 - Http

Authorization is the primary header used by clients to authenticate against peers in HTTP as foreseen in RFC 7235. It is often linked to the Basic authentication scheme as per RFC 7617, but that is not a given.

The Basic scheme allows clients to provide a username-password-pair separated by a colon (:) coded in Base64. It cannot be stressed enough that this is a transport coding that provides no real security benefits. E.g. the example given by you can trivially be 'decrypted' into Aladdin:open sesame.

Through the IANA HTTP Authentication Scheme Registry (see also: RFC 7235, sec. 5.1) you will find the Bearer scheme (defined in RFC 6750), which is closely tied to OAuth 2.0. X-Auth-Token is pretty much providing a shortcut here as it (presumably) does not rely on either OAuth or the HTTP authentication framework.

Please note that with X-Auth-Token being an unregistered header, it is subject to no formal specification and its presence and content is always tied to a respective application. No general assumptions can be made on it.

Solution 2 - Http

'Authorization: Basic ' means basic authentication, browser/client have to supply the username/password with each request.

In case of 'x-auth-token' user has to supply username/password for the first time and server returns a access-token in header field 'x-auth-token'. For further sessions this token is exchanged, not the username/password.

Solution 3 - Http

[Solution] When you get the below response you have to put the "Bearer" as a prefix with the Outh token.

{    "errorCode": 401,
"errorDesc": "Full authentication is required to access this resource",
"_userDesc": "Unauthorized"}

Should be the Authorization header as below

Bearer  eyJraWQiOiJrOTgwMy4xNTk5ODQyODg3IiwiYWxnIjoiUlM1MTIifQ....

Issue will be resolve.. Thanks

Solution 4 - Http

In case of normal "Basic" Authorization, you need to provide a string like this

"Basic " + Buffer.from("username:password").toString("base64");

For client-side JavaScript you can check window.atob() function to encode a string in base64.

And in case of X-Authorization the user has to pass their username/password to the server for the first time and server responds with this X-Authorization token, after that every api-calls the user does(in that session), it only uses that X-auth token and not their credentials.


All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionDeepakView Question on Stackoverflow
Solution 1 - HttpDaSourcererView Answer on Stackoverflow
Solution 2 - Httpuser18853View Answer on Stackoverflow
Solution 3 - HttpThilina ChamikaView Answer on Stackoverflow
Solution 4 - HttpRaj KarmakarView Answer on Stackoverflow