Passing Foursquare token in HTTP Authentication header. Is it possible?

Question

I'm constructing an application with 2 sides: client (iPhone) and Server (PHP). Communication using https. The mobile phone gets a 4SQ access token. Then, it sends that token to the server, and the server will make 4SQ API calls using it. My question is about how to send this token.

My idea was to include the token in the HTTP Authentication request's header, but after reading about basic/digest authentication, I suspect it isn't the way of doing it. Actually, the calls to 4SQ API are done using a request parameter

oauth_token=ACCESS_TOKEN

instead of putting the token in Authentication header, or any other place. I'm sure there's a good reason for that, but I can't find it.

Then, which option is the best?

• Phone sends token to PHP server as request parameter, like 4SQ does
• Phone sends token to PHP server in Authentication header (which kind oh authentication is?)
• Any other way

Many thanks in advance, and best regards

Answer 1

I think the most secure and reasonable way would be a HTTPS POST. When the token is part of the query string in a HTTPS request, it is also encrypted. But it will appear clear text in the server log, or, when a browser is used, it could also appear in the browser history. Depending on the HTTP helper library, it could also log the HTTPS URL, when, for example, a request fails.

In my eyes, sending the token in the Authentication header would be strange, since it is not used for authentication between the server and the client.