HTTP basic auth, digest auth and Oauth?

Which one of basic auth, digest auth and Oauth should one use for a web application to let users access resources through Restful API calls?

Isn't Oauth the better solution replacing basic and开发者_C百科 digest auth?

Glossing over many details here but:

http basic: send username & password in the clear in Authorize header

http digest: send username & password, where the password has been hashed by a server provided nonce

Both versions of oauth originally designed to grant 3rd parties access to resources that are not owned by it (eg. I allow mobile photo app to post to facebook on my behalf) without having to give the 3rd party my credentials. Both of these protocols work basically as follows:

• From mobile photo application, user is directed to login page of facebook
• Once they have logged in, they are redirected back to the mobile photo app with a code.
• The mobile photo app then redeems this code for an access token
• The mobile photo app can then make requests to facebook to post my photos to my wall.

oauth1.0a: more secure than oath2, but more difficult to implement also requires all requests to be signed.

oauth2: relies on ssl for security and does not require request signing. While it's lead author has abandoned the project because he feels it doesn't doesn't meet either of its original design goals (security, interoperability) it is widely used by Facebook and Google.

Here are some articles I found useful here:

• https://blog.apigee.com/detail/api_authentication_and_how_it_got_that_way_from_http_basic_to_oauth_2.0

• https://www.stormpath.com/blog/secure-your-rest-api-right-way

Not enough mojo yet to link to the rfcs but those are the definitive sources, if slightly indigestible.

I am trying to work out the answer to this one as well. I would say it depends on what the scope of your intended app is. oAUTH restricts access to developers who would have to build a client to do the handshaking.

Basic can work with many data browser clients like Sesame and also work with Excel 2010, as well as any old browser. the only issue is the passwords travelling in the clear, which can be mitigated by hosting your app over https.

Don't know much about digest unfortunately.

I am personally trying to test an implementation of each: http basic and oauth.

Phil Sturgeon has got a decent eBook (Build APIs You Won't Hate) with a whole chapter dedicated to Authentication. It covers:

• Basic
• Digest
• OAuth 1.0a
• OAuth 2

I'd highly recommend reading it if you are considering implementing such mechanisms within your RESTful API.

Update Why the downvote?