API Authentication

In this blog I will talk about different types of API Authentication, how it works and how to set up them in the API testing tools like SOAP UI or Postman.

API authentication is the process of verifying the identity of a user, client, or system that is requesting access to an API. This is important to ensure that sensitive data is protected and only accessed by authorized entities.

There are several methods for API authentication, including API keys, OAuth, and JSON Web Tokens (JWT).

Each method has its own strengths and weaknesses, and the best method for a particular use case depends on the requirements and security concerns of the API and its users. It's important to choose a secure and reliable API authentication method to protect the API and its data.

Below are the most commonly used API authentication mechanism, lets talk about each of them in detail.

HTTP Basic Authentication

• Simplest way of securing the REST API.

• While using this method, credentials need to share in the form of username:password in the request header with Base64 encryption and this header is usually sent in every request.

• Hence though this authentication method may be the simplest, but it is also the most vulnerable since Base 64 encoding is easily reversible.

• HTTPS/TLS must be used with basic authentication as threat actors can intercept traffic moving through unsecured channels and steal credentials.

• HTTP Basic authentication will work as shown below

Sample request -

GET employee/department HTTP/1.1
Host: example.com
Authorization: Basic <password>

API Key

• The method uses a unique authentication key that authenticate User just by including the key.

• User logs in to the Application and generates an unique API-Key

• API key need to pass to the API service as a part of the request.On receiving an API call, the API service validate the key with the key records and complies with (or declines) the request accordingly.

• For APIs that don’t need write permissions, this is an easy way to handle authentication. But use of HTTPS or SSL is advisable in order to ensure that data is encrypted in transit.

• If API key got exposed to unauthorized User then API security will be compromised easily, which is a major drawback of this method.

• API Key authentication process works as shown below

Sample request -

GET employee/department HTTP/1.1 
Host: example.com
Authorization: Bearer <api key>

JSON Web Token (JWT)

• JWT is a secure mechanism of exchanging the information between requestor and provider.

• A JWT token is a large unreadable set of characters that contains hidden and encoded information, masked by a signature or encryption algorithm (RS256 and HS256). As the token is hashed / encrypted, it comes with a more secure methodology that is less likely to be exposed.

• JWT is a combination of both authentication & authorization as it generates a single token that contains user and app-level information (encrypted or hashed) which helps to govern what token-holder can/can not do.

• API key provides only application-level security, giving every user the same access; whereas the JWT token provides user-level access.

• The flow of authorization between the end user, client application, JWT issuer, and resource server is as described in the following figure.

OAuth 2.0

• OAuth is an authorization protocol that can be used to enable limited access to private resources without sharing passwords.

• OAuth (Open Authorization) use token-based authorization.

• It’s a highly secured protocol and can also be used to allow one web service to access protected resources stored with another service.

• OAuth works by delegating authentication to an authorization server that hosts the user account. The server then generates a token and sends it to the resource server to authorize the user to access protected routes.

• Oauth Roles - OAuth defines four roles as below

• User/Client - wants to perform actions on the resources on behalf of the owner. A website that is consuming data from web APIs is a good example.

• Resource Owner - the owner of the private resource, which means he can grant access to it.

• Authorization Server - grants access to the protected resources to the clients

• Resource Server - hosts the resources

• OAuth Grant Type - Providing a grant means, allowing a user to access a resource or a set of resources upon his/her request. OAuth gives such a permission in five ways as mentioned below :

• The flow of authorization between the end user, client application, and resource server is as described in the following figure.

Here is a more detailed explanation of the steps :

1. User requests authorization to access resources.

2. If the user is authorized the application receives an authorization grant from Resource Owner.

3. User requests an access token from the authorization server by presenting the authorization grant.

4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the User.

5. User requests the resource from the resource server and presents the access token for authentication.

6. If the access token is valid, Server returned the requested resources.