Other: FiveTran API Authentication Should Support OAuth with Bearer Tokens
Answered
It appears that only basic auth is supported for the FiveTran API. An improvement would be to support OAuth 2.0 client credentials to allow bearer tokens that expire after a period of time. While the original key/secret would still be required to exchange for a bearer token, this would allow for a couple of things.
1. In the event of disclosure of the API call contents (too often this is in logs!), the auth token is at least time limited and useless after the expiration of the token. While the initial OAuth call could, of course, need to be careful to not log the key and secret, this typically is easier to control.
2. One could have a client environment where the key and secret were kept in an extra-secure vault which could make the occasional request for a bearer token and hand that time-limited bearer token off to the environment that would handle the requests.
-
Official comment
Hi Chip,
We've discussed OAuth internally, one benefit of basic auth is that it's dead simple to understand and implement, vs OAuth being a bit more involved. Are you just looking to limit exposure or are there other challenges you're experiencing due to lack of OAuth?
Thanks,
Jimmy -
Exposure of credentials, as outlined in my initial request, is the concern. While simplicity and security are often friends, sometimes a little complexity is required. You could still allow basic auth as an option.
Many APIs use OAuth. It wouldn’t be a barrier to most people even if ut was required!
Please sign in to leave a comment.
Comments
2 comments