When the user attempts to re-enter the system, their unique key (sometimes generated from their hardware combination and IP data, and other times randomly generated by the server which knows them) is used to prove that they’re the same user as before. In this method, a unique generated value is assigned to each first time user, signifying that the user is known. In REST API Security - API keys are widely used in the industry and became some sort of standard, however, this method should not be considered a good security measure.ĪPI Keys were created as somewhat of a fix to the early authentication issues of HTTP Basic Authentication and other such systems. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL). The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC-6750 but is sometimes also used on its own. The client must send this token in the Authorization header when making requests to protected resources: The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token allowing access to a certain resource or URL and most likely is a cryptic string, usually generated by the server in response to a login request. Here’s an example of a Basic Auth in a request header:Īuthorization: Basic bG9sOnNlY3VyZQ= Bearer Authenticationīearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. This method does not require cookies, session IDs, login pages, and other such specialty solutions, and because it uses the HTTP header itself, there’s no need to handshakes or other complex response systems. The username and password are encoded with Base64, which is an encoding technique that converts the username and password into a set of 64 characters to ensure safe transmission. With this method, the sender places a username:password into the request header. This is the most straightforward method and the easiest. HTTP Basic Authentication is rarely recommended due to its inherent security vulnerabilities. We will go over the two most popular used today when discussing REST API. The HTTP Protocol also defines HTTP security auth schemes like: HTTP Authentication Schemes (Basic & Bearer) Let's review the 4 most used authentication methods used today. Now that we know what authentication is, let's see what are the most used authentication methods in REST APIs. Consider the following - You have a working key card that allows you to open only some doors in the work area, but not all of them.Īuthentication: Refers to proving correct identityĪuthorization: Refers to allowing a certain actionĪn API might authenticate you but not authorize you to make a certain request. In other words, Authorization proves you have the right to make a request. This is like having a driver license which is given by a trusted authority that the requester, such as a police officer, can use as evidence that suggests you are in fact who you say you are.Īuthorization is an entirely different concept and in simple terms, Authorization is when an entity proves a right to access. In other words, Authentication proves that you are who you say you are. The two functions are often tied together in single solutions, but the easiest way to divide authorization and authentication is to ask: what do they actually state or prove about me?Īuthentication is when an entity proves an identity. As much as authentication drives the modern internet, the topic is often conflated with a closely related term: authorization. Authentication vs Authorizationīefore I dive into this, let's define what authentication actually is, and more importantly, what it’s not. In this post, I will go over the 4 most used in the REST APIs and microservices world. While there are as many proprietary authentication methods as there are systems which utilize them, they are largely variations of a few major approaches. Menu 4 Most Used REST API Authentication Methods 26 July 2019 on RestCase, REST API Security, REST API, OAS, API Driven Development
0 Comments
Leave a Reply. |