Basic authentication vs token authentication

Question

With both approaches I use SSL.

Both seem the same secure to me. But if SSL breaks there are differences.

1) basic auth: Without SSL someone can fish the username+password and use it forever.

2) token auth: Without SSL someone can do a man in the middle attack and steal my token and just use it but only for the a certain time period I would say e.g. token creation date + 8 hours and every request with that token is invalid as the token is invalid.

Are there any more advantages from token based auth vs basic auth?

Answer 1

One of the main advantages of using the authentication token (eg OAuth2) is that the client application does not need to save the credentials locally. The client application sends the credentials once for the initial login, then forget them as long as you do not need to re-authorize the application, when the client application prompts the user to enter again.

In contrast to the version 1 OAuth2 does not require you to sign the request; bearer token can be used as long as it is valid without any measure, this may seem like a safety issue but the process takes advantage of simplification.