So far, we have looked at creating API, and ways to secure APIs. Authentication and Authorization are ways to secure web API and ensure there are no unauthorised users.
Let’s understand these concepts better.
What is Authentication in API Testing
Authentication is the process of identification of the user.
Most common example is when a user logs in with their username and password and the server authenticates the user with the help of the password. Authentication can be done by either using a username and password, tokens for authentication, secret keys or even biometric.
Authentication in REST API
In the case of REST API, authentication takes place by using HTTP requests.
The process of authentication is not complicated. A REST request can carry a special header which can be named Authorization header.
This header has information like username and password in some particular form. As soon as the request along with the authorization header reaches the server, the server validates the information and allows or denies access to resources.
What is Authorization in API Testing
Authorization, on the other hand, is a decision if a user is permitted to carry out a specific action or not.
For example, a user may have the access to read a document but is not permitted to edit or make changes to the document. As discussed earlier, the permission to access a resource requires presenting credentials and this is done by authentication. Thus, we can say that authorization and authentication are related to each other.
Challenges in implementing Authentication and Authorization in REST API
One of the main challenges faced with authentication is that the confidential information regarding the credentials is mostly unencrypted when it is transmitted between systems.
Therefore, it is imperative to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) mediums for exchanging sensitive information between web- based applications. This situation can be more critical in cases of third- party applications where traffic can be intercepted and information can be stolen.
- API Keys
One of the common variations to HTTP authentication strategy is using API keys. In this approach, strings are generated by the machine for creation of unique pairs of credentials to be used for identification along with access tokens for API. These API keys can be transmitted along with either Payload, HTTP headers or even a query string. This adds additional security for web-applications which are used directly by the consumer.
API keys also face the same challenges as basic authentication where hackers are able to intercept and steal credentials. Although the mechanism for identification is unique, its simple design creates challenges for its layered authentication.
- HMAC in REST API
There is yet another form of authentication for REST API which is called hash- based message authentication code or HMAC. This form of authentication is most commonly used when the payload data of REST API is of utmost importance.
HMAC uses single key encryption, also called as symmetric encryption in order to find the hashing of REST APIs data payload. At this point, there is a unique code which is created and linked with hashing. This code gets attached to the message. The sender and the receiver need to share the key and use it to make sure the data within the payload is secure.
The HMAC approach of authentication needs operational overheads and can be a daunting task to manage. It is most beneficial in situations when there is direct control over the client and server applications involved in the exchange of information. In the case of mobile or web applications which cannot be controlled, there will always be a challenge for storing encryption keys.
Conclusion
In a nutshell,
- Authentication is the process of identifying the user.
- Authorization is deciding whether a user is allowed to perform an action.
Authentication and Authorization in REST API can pose some challenges like unencrypted confidentiality. We learnt about a few ways to tackle such challenges in the article.
To ensure a comprehensive counter to challenges, it is recommended to take support from experts and train your team to equip them to tackle security threats effectively. Explore training in API Testing from Uptut that lets you upskill your team with a curriculum matching your business needs.
Dive-in deep about Authentication with our next article on Open Authorization.