_edited_edited.png)
When I started learning about API testing, I frequently came across the terms authorization and authentication. Beyond a broad understanding of both these terms implying providing security for accessing the API, I couldn’t properly differentiate between the two. Both being surmised as ‘auth’ didn’t help matters much. A beautiful book by Dave Westerveld, recommended by one of my seniors, who is an expert in the field of API testing, helped clarify the difference between the two and made the concept a lot clearer.
The need for a strong layer of API security
The humongous world of the internet relies heavily on the intricate web of API services for seamless performance. But in the last few years, the application architecture has changed a lot. Traditionally, we used to open web applications on browsers and access the data. This data was accessed through the back-end server and once the user sent the request to the server, the resulting web page was sent to the client browser side for rendering. Modern-day applications have become more powerful. Besides desktops, they are widely used on mobile devices as well. We have a lot of financial apps, retail apps, healthcare apps, wellness apps, gaming apps and entertainment apps that provide real-time information to users. For example, the number of students enrolled in a particular course as of this moment, the number of steps I walked till now, my current heart rate, the current seating chart in a movie theatre, my current available account balance and so on and so forth. We do not need to sit on a desktop and open browsers to access these kinds of real-time data. Most of these modern applications use APIs to send and receive data from the back-end servers to the users of these applications. As APIs are being increasingly leveraged, they are also becoming more exposed and presenting a higher risk of data or security breaches. This makes API the focal point of a strong and systemic layer of security consisting of appropriate authentication and authorization measures.
Authorization and Authentication
Authorization is a way to determine which actions a user has been given permission to perform. When a person comes knocking at your door, you may recognize the person and allow her inside. In this case, you authenticated that the person is known to you and allowed her to come inside your home. However, you may not authorize that person to access every room in your house. The person is authorized to come into your living room but not into your study. Authorization is a further level of filtering the access rights given to a user. An employee may enter the office building using his key card, but he may not be authorized to access the research wing of his company using the same key card. In an API, this takes the form of determining whether someone is authorized to use certain endpoints or methods on those endpoints. For instance, a user may be authorized to send a GET request to a particular endpoint but not a PUT request to the same endpoint.
Authentication is determining whether you are really the user that you claim to be. For example, when a student puts in her username and password in her school account, the database identifies her as a bonafide student of the school and lets her access her student records. While activating your house alarm, when you key in the required passcode, the system recognizes you as an authentic user and activates the alarm. Practically we will look at how to use authorisation and authentication options in Postman, the widely used API testing tool.
How to use the Authorization option in Postman
There is an Authorization tab in Postman which can be used to send authorization details to the API. The following are the steps to do so:
Create a new request and save it.
Go to the Authorization tab in this request and click on it.
A dropdown occurs which shows multiple types of authorization options available to the user.
Types of Authorisation options in Postman
Here is a brief description of the various types of authorization options as shown in the Authorization tab of Postman:
Inherit auth from parent
In this case, Postman allows us to enter authorization options like username and password once and continue with testing the endpoints. This is of much value when the authorization feature itself is not being tested, instead, different requests like GET, PUT, and POST needs to be tested after providing the same authorization credentials. The username and password values can be updated in one spot and all the requests that use this option will receive the updated login values. When we want to use different login credentials for a different set of users, we can create user-specific folders inside the collections folder and specify folder-level authorization options.
Basic Auth option
The Basic Auth option implies that the API requires a set of usernames and passwords to access it. It is a simple form of authorization in Postman and is avoided in production-level testing where higher-level security is required. I have used this option in most of my learning with Postman to understand how API security works. It is quite user-friendly for that purpose. For instance, suppose an API requires basic authorization options for responding to any request. If you send a GET request without providing this information, you will receive a 401 Unauthorized code. If you enter the required details and send the request, you will get a status 200 ok response.
Using Bearer Tokens
Bearer token authentication is an HTTP authentication scheme that involves security tokens called bearer tokens. It implies ‘give access to the bearer of this token. They have an advantage over Basic Auth as they combine both authorization and authentication aspects within them. A bearer token can be generated using one’s GitHub account by going to Developer settings and generating a personal access token. From the dropdown in the Authorization tab, select the option of Bearer token and in its Headers description, Postman will show the authorization has a bearer token value. Bearer tokens belong to a class of authorization methods known as API Keys.
Using AWS signature
APIs are used to access a lot of cloud computing systems and services. Postman provides an AWS signature authorization option to help with authorizing AWS APIs. It is a type of specific API key where we enter the AccessKey and SecretKey. This data can be passed in Postman as a header or a query parameter.
OAuth option
OAuth, also known as OAuth 1.0, or Open Authorization is a standard that applications can use to provide client applications with secure designated access to certain defined areas. It works over HTTPS, APIs and applications with access tokens and not just credentials. For example, suppose you get a Gym membership with a basic plan. The designated person will process your credit card and give you your Gym keycard upon receipt of payment. Although you have the Gym key card, based on your plan you may not have access to the whole Gym area. Probably you can access the cardio and weights area but do not have access to the pool facility provided in the Gym. An OAuth option authenticates the user and then authorizes selective access rights to the user.
OAuth 2.0 option
OAuth 1 had several limitations to it so OAuth 2.0 was developed using similar kinds of flows but is quite different from OAuth. Almost all APIs that used OAuth now use OAuth 2.0 It is an authorization protocol that allows a user to approve one application to interact with another application on behalf of the user without the user having to give away his password. For instance, I can tell application A that it is ok for application B to access some of my data from application A without having to share my password with application B. OAuth 2.0 uses an Access Token which is a piece of data that represents the authorization to access resources on behalf of the end-user.
Digest Authentication
Digest Authentication sends data of username and password for a web browser over an unencrypted connection. A hash function is applied to the username and password. It uses HTTP protocol and reversible Base64 encoding. The system was used by some online banking systems. It is an older authentication standard that few modern APIs use.
Hawk authentication
This method uses partial HTTP request cryptographic verification, request URI, and host. In this method, the message authentication code (MAC) along with some metadata is used to make an HTTP request. To provide secure communication, this method makes use of time stamps. To sign the requests a client needs to retrieve a token id and a token key from the server. Although it is still used in some APIs, most new APIs use OAuth 2.0 instead.
NTLM Authentication
It is an authorization flow that is used in Windows operating system and for standalone applications. It is also known as Windows Challenge/Response. It allows users access to resources on an API based on their current Windows login information. We can choose this option from the authorization type dropdown menu and enter the Windows username and password.
Akami EdgeGrid Authentication
This is used as an authorization helper which is developed by Akamai technologies. To use this method, the user needs to enter the access token, client token and client secret. The company provides a variety of services, many of which are supported by APIs. Based on their method of authenticating applications within their network, they have created an authorization helper that can be used in Postman.
Summary
Of all the authentication methods discussed, OAuth 2.0 is the most widely used because of its ease of use, scalability, and security features. Basic authorization is also a considered choice, but it doesn’t make use of encryption. Most of the popular APIs today use OAuth 2.0 as an authorization protocol because of its multiple benefits.