Basic auth is very simply implemented through traditional HTTP request methods. You just pass a username and password as login credentials through to the provider from which you are trying to obtain the privileged user information.

Let’s say, for example, that we want to pull down some resources from a social URI endpoint that is designated by a provider site. We start out by making a simple HTTP GET request to the provider URI endpoint to capture that data:

GET /private/user/me HTTP/1.1
Host: server.example.com

Now let’s say that the provider requires basic authentication (username and password for validation). Since we didn’t include those login credentials with the request, the provider will return a simple HTTP error response stating that additional authorization is required:

HTTP/1.1 401 Authorization Required
Date: Fri, 17 Dec 2010 02:27:34 GMT
Server: Apache
Location: http://server.example.com/private/user/me
Cache-Control: max-age=300
Expires: Fri, 17 Dec 2010 02:32:34 GMT
Vary: Accept-Encoding
Content-Length: 148
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>Error: Unauthorized</title>
</head><body>
<h1>401 Unauthorized</h1>
</body></html>

Let’s assume that this provider accepts basic authentication requests. We’ll use an HTTP POST request including a username, password, and any arbitrary parameters that the URI endpoint requires to denote which resources to return. This POST request will look similar to the following:

POST /private/user/me HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

username=joe_smith
&password=pass1234
&param1=myparameter1
&param2=myparameter2

The provider will then respond with the resources from the URI endpoint to which you made the request.

As you can see, you can get a good view of the basic auth process by simply tracking HTTP requests and responses. Even though the process is easy to implement, there is a whole range of reasons why you may want to avoid basic auth as a mechanism to protect your private resources. These include everything from the inconvenience of having to send the username and password with every request to concerns about security for storing that data.