Authentication and Authorisation

SECTIONS

Introduction

So far, we have looked at creating API, and ways to secure APIs. Authentication and Authorization are ways to secure web API and ensure there are no unauthorized users.

Let’s understand these concepts better.

Authentication is the process of identification of the user. Most common example is when a user logs in with their username and password and the server authenticates the user with the help of the password. Authentication can be done by either using a username and password, tokens for authentication, secret keys or even bio-metric. In the case of REST API, authentication takes place by using HTTP request.
The process of authentication is not complicated. A REST request can carry a special header which can be named Authorization header. This header has information like username and password in some particular form. As soon as the request along with the authorization header reaches the server, the server validates the information and allows or denies access to resources.

Authorization, on the other hand is a decision if a user is permitted to carry out a specific action or not. For example, a user may have the access the read a document but is not permitted to edit or make changes to the document. As discussed earlier, the permission to access a resource requires presenting credentials and this is done by authentication. Thus, we can say that authorization and authentication are related to each other.

One of the main challenges faced with authentication is that the confidential information regarding the credentials is mostly unencrypted when it is transmitted between systems. Therefore, it is imperative to use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) mediums for exchanging sensitive information between web- based applications. This situation can be more critical in cases of third- party applications where traffic can be intercepted and information can be stolen.

One of the common variations to HTTP authentication strategy is using API keys. In this approach, strings are generated by the machine for creation of unique pair of credentials to be used for identification along with access token for API. These API keys can be transmitted along with either Payload, HTTP headers or even a query string. This adds additional security for web-applications which are used directly by the consumer.

API keys also face the same challenges as basic authentication where hackers are able to intercept and steal credentials.  Although, the mechanism for identification is unique, its simple designs creates challenges for its layered authentication.

There is yet another form of authentication for REST API which is called hash- based message authentication code or HMAC. This form of authentication is most commonly used when the payload data of REST API is of utmost importance. HMAC uses single key encryption, also called as symmetric encryption in order to find the hashing of REST APIs data payload. At this point, there is a unique code which is created and linked with hashing. This code gets attached to the message. The sender and the receiver need to share the key and use it to make sure the data within the payload is secure.

The HMAC approach of authentication needs operational overheads and can be a daunting task to manage. Its most beneficial in situations when there is direct control over the client and server applications involved in the exchange of information. In case of mobile or web applications which cannot be controlled, there will always be a challenge for storing encryption keys.