Drawbacks of password-based SSL authentication for PHP REST API

Question

I have developed an API that I want to secure through user authentication. My first idea was to assign to each user a secret key (password) and a client id (username) that they would send along with each request to the API. However, I have read many articles that suggest alternative authentication schemes, like OAuth2 or using HMAC hashes. What I cannot understand yet is the benefit of these schemes against a combination of HTTPS+password+username in terms of security. The only thing I found is that HTTPS may incur higher cost in terms of CPU, but I'm not convinced about the security benefits I'll get using other authentication schemes.

Can you please offer me good reasons against using basic encrypted authentication, or to put it in other words, why I should prefer HMAC hashes or OAuth?

Answer 1

The main point of OAuth is to allow a third-party to use your API on behalf of a user. It basically ensures that the user doesn't need to share their username/password with the third-party.

If you are not going to allow third-party websites to connect to your website then there are simpler ways. It really depends on what your API is about, how it is accessed by the users (website, mobile application, etc.).

Sending the username and password with each request doesn't seem like a good idea, even over HTTPS, so maybe a better solution would be to have a "/login" function which returns a token on success. You can then use this token to access the API. The advantage is that you can expire the token in case of problem.