Authentication Security Best Practices
api-negotiates-authentication
general > api-negotiates-authentication
Guidance
Your API negotiates authentication with a remote Simple And Protected Negotiate (SPNEGO)-based system.
The most common systems used in negotiating authentication are Kerberos and the now obsolete NTLM (New Technology LAN Manager).
The severity of this risk heavily depends on the which system is used. While Kerberos is reasonably secure, NTLM is not.
Because your API cannot know which system it is negotiating with, the only safe option is to treat all negotiations
as insecure.
Use a more secure authentication method, like OAuth 2.0. It uses access tokens with limited lifetime and authorizations
(the scopes) granted that the resource owner grants from an authorization server.
Applies to SecurityScheme