Basic authentication is now defined additionally for each user (v.23)

Take a look at this picture,

mceclip1.png

Do you see something new? Hint: It's the highlighted property.

Basic Authentication Allowed

This is a new attribute for the users entity.

Starting with version 23, you can now allow basic authentication on a per-user basis.

This means that you can fine-tune your security policies. I.e. further restrict basic authentication to be allowed only for certain users.

So, regardless of the settings specified in the trusted application, if a particular user isn't allowed to use basic authentication, they simply won't be able to.

What's the benefit of this change?

Until now, if you wanted to allow basic authentication for a trusted application, you had to explicitly set the user who would use it as the system user for that trusted application.

But now the system user for the trusted application has nothing to do with basic authentication. I.e., it doesn't matter. The only requirement is simply that the particular user is configured to allow basic authentication.

If you want to enable basic authentication for a trusted application, you no longer need to specify its system user as the user that will use basic authentication.

All you have to do is:

  1. Allow basic authentication for the trusted application itself (just like before).
  2. Allow basic authentication for specific users individually (as in the picture above).

Wait a minute, isn't this a breaking change?

In short- no.

The key is in the property's default value. Its false, but 2023 introduces a new config option:

AllowBasicAuthForAllUsers

which defaults to true.

This way, you can set the new property for the required users according to your security policy and then turn off the AllowBasicAuthForAllUsers config option.

Security note

Although we support basic authentication, its use is not recommended as this authentication method has some security concerns:

  • The password is sent repeatedly for each request.
  • The recipient(s) of your requests will see the password in plain text.
  • If used in a web browser, it may cache your password.

The recommended way to authenticate with ERP.net is OAuth.

---

More information is available in our official documentation:

https://docs.erp.net/model/entities/Systems.Security.Users.html#basicauthenticationallowed

https://docs.erp.net/dev/topics/authentication/index.html

https://docs.erp.net/dev/domain-api/authentication.html

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk