Authentication Security Best Practices
api-negotiates-authentication
general > api-negotiates-authentication
Guidance
Your API negotiates authentication with a remote Simple And Protected Negotiate (SPNEGO)-based system.
The most common systems used in negotiating authentication are Kerberos and the now obsolete NTLM (New Technology LAN Manager).
The severity of this risk heavily depends on the which system is used. While Kerberos is reasonably secure, NTLM is not.
Because your API cannot know which system it is negotiating with, the only safe option is to treat all negotiations
as insecure.
Use a more secure authentication method, like OAuth 2.0. It uses access tokens with limited lifetime and authorizations
(the scopes) granted that the resource owner grants from an authorization server.
Message
Your API negotiates authentication with a remote SPNEGO-based system. This could pose a security risk. Please use a more secure authentication method, like OAuth 2.0.
Examples
valid
securitySchemes:
petstore_auth:
type: oauth2
flows:
implicit:
authorizationUrl: https://example.com/api/oauth/dialog
scopes:
'read:pets': read your pets
invalid
securitySchemes:
spnego_auth:
type: http
scheme: negotiate
Applies to SecurityScheme