Authorizations of an API:
Securing an API is really important. It involves Authorization and Authentication. These are important topics that support all security testing.
Authorization:
Usually, an Authorization is where you are given permission to access an account. This can be interchangeably called as access control. In an API, this can take the form of determining whether you are authorized to use different endpoints or certain methods on an endpoint.
For instance, some users might not be allowed to use a certain endpoint at all, while in other cases a user may be allowed to use an endpoint to GET data, but not to DELETE or modify the data. There may also be cases where an API might return different information depending on the kind of user that you are. Therefore,
Authorization is an essential aspect of API security.
Authentication:
Authentication is about determining whether you really are that kind of user. So,
Authentication is all about the act of validating those users are whom they claim to be. This is the first step in any security process.
If a user enters the correct data, the system assumes the identity is valid and grants access.
Usernames and passwords are the most common authentication factors. Biometrics, one-time pins are other examples of Authentication.
Example:
For instance, If I log on to Facebook I need an Authentication to enter into my account by entering my username and password but if I have to allow my friends to view my profile I need to Authorize it.
If we take this back to the idea of API authorization and authentication, authentication involves putting in a password or providing a key that proves that you are who you say you are. Once you have done that, authorization determines which data you can see and interact with. Both pieces are crucial to a properly working a security system.
Getting started with authorization in Postman:
Authorization set directly on the Authorization tab of a request.
STEPS:
Navigate to a request through the Collections tab in the navigation panel.
Open the request by clicking on it and open Authorization tab.
Click on that, check for dropdown and specify the type of authorization that your API uses. If you click on that dropdown, you will see that there are a number of options available.
Authorization:
1. Inherit auth from parent:
when an API has authorization enabled, it will be required for every endpoint in the API to access a request in the API user has to specify auth options.
Postman enables this by allowing you to specify authorization at the folder or collection level.
By default, requests inside the collection or folder will inherit auth from the parent, i.e. it will use the same auth specified at the folder or collection level.
To change this for an individual request, make a different selection in the request Authorization tab.
Authorization:
2. No Auth:
Postman will not attempt to send authorization details with a request unless you specify an auth type.
If the request does not require authorization, select No Auth from the Authorization tab Type dropdown list.
Authorization: 4. Bearer Token:
Bearer tokens allow requests to authenticate using an access key, such as a JSON Web Token (JWT).
The token is a text string, included in the request header.
In Authorization tab, select Bearer Token from the Type dropdown list.
In the Token field, enter your API key value or for added security, store it in a variable and reference the variable by name.
enter into Auth methods and select GET/Bearer
in the postman, select a GET request and select authorization request to Bearer Token.
The server expects a Token to be sent.
ENTER a token name as “{{SDET16}}”.
Example:
We can see that the Token is authorized and got the response “200 OK”.
Postman will append the token value to the text "Bearer " in the required format to the request Authorization header.
Under the header tab, the value is assigned as Bearer {{SDET-16}}.
Authorization: 5. Basic Auth:
Basic authentication involves sending a verified username and password with your request.
In the request Authorization tab, select Basic Auth from the Type dropdown list.
Enter your API login details in the Username and Password fields—for additional security to store these in variables.
In the request Headers, you will see that the Authorization header is going to pass the API a Base64 encoded string representing username and password values, appended to the text "Basic " as follows:
Basic <Base64 encoded username and password>
Authorization: 3. API Key:
Choose the API Key option (3rd option) from the Type dropdown.
API Key can be added to the Header or the Query Params
API key has two entries, named Key Header and the Value
Click on the Add to option, which will give you a drop-down choice between adding your API key to the Header or adding it to the Query Params .
A common Key value used is x-api-key
Value to be specified. Here it is specified as Blogothon-1
API Key sent through Header
Key : x-api-key and Value: Blogothon-1 are added to the Headers. You can view by clicking the Headers tab.
API Key sent through QueryParams
Key : x-api-key and Value: Blogothon-1 are added to the Params. You can view by clicking the Params tab.
Authorization: 10. AWS Signature:
A lot of cloud computing systems and resources (like AWS, Azure) can be interacted with via APIs, which need to be authorized.
Postman provides an AWS Signature authorization option to help with authorizing AWS APIs
AWS Signature option is just another way to specify an API key.
AccessKey and the SecretKey to be specified, (same like API keys, key and Value option
AWS authorization has advanced options that let you set things such as the AWS Region, the Service Name, and the Session Token.
Using AWS Signature
Using OAuth:
It is primarily about the delegation of the authorization. We can take an example about how it works, The first step is that you come into the hotel and give your credit card to the clerk while requesting access to a room.
Requesting a room
The clerk then swipes your credit card to determine that you have enough funds available. In this way, the clerk gets approval to issue you a room key and so they hand you a key card.
Giving you an access you
In the hotel scenario, you requested access to a hotel room and in this scenario, the game (or, more generically, the application), asks the authorization server for access to the data that it needs.
Token request
If you approve that access, the authorization server will then give the application a token that will give it access to the data it has requested access to:
Token granted
A hotel gives you a key card that will open your room for you. An authorization server gives the application a token that it can then use to access the data that it needs from the resource server.
Setting up OAuth 2.0 in Postman
1. Create a collection and name it imgur.
2. Create a request in that collection. Name it something like my account images and set the endpoint to https://api.imgur.com/3/account/me/images. This endpoint will give you a list of all the images that belong to your account.
3. Send the request and you will notice that you get back a 401 Unauthorized error.
4. In order to successfully call this endpoint, you will need to get an authorization token. To get this token with the Imgur API, you will need to use OAuth.
Register an application
Simply go to https://api.imgur. com/oauth2/addclient (ensuring that you are logged in) and fill out the information in the form.
Name the application something like My Postman Test Application and leave the authorization type option to use OAuth 2 with a callback URL.
we can use a dummy URL that Postman provides for this purpose: https://www.getpostman.com/oauth2/callback.
Type or paste this URL into the Authorization callback URL field and then add in your email and description if you want and click on the Submit button to create your Imgur application.
Getting an OAuth 2 access token
Go back to the request where you are trying to get all the images that belong to your account and go to the Authorization tab. On the Type dropdown, select the OAuth 2.0 option.
In order to use that functionality, click on the Get New Access Token button. This will give you a form with several fields to fill out:
Give the token a name. Postman will store the token for you so that you can use it in other requests if you want.
Ensure that the Grant Type option is set to Authorization Code.
Callback URL needs to be the exact same as the one the application will redirect to.
So, in this case, https://www.getpostman.com/oauth2/callback.
Auth URL is the API endpoint that you call in order to ask the authorization server if you are allowed to get a token. When you call this URL, the user will be prompted to make sure they are OK with your application having access to their data. For the Imgur API, that endpoint is https://api.imgur.com/oauth2/authorize.
Once your application has received authorization to proceed, it gets a very short- lived key that it can exchange for a more permanent token. It does this with the Access Token URL. The Imgur API endpoint for this is https://api.imgur. com/oauth2/token.
In order to authorize your application, the authorization server needs to know what application it is being asked to authorize. This is where the Client ID and Client Secret fields come in. If you didn't copy them when you created your application, you can get them by going to imgur.com in your browser, clicking on your username, and then selecting Settings. On the settings page, choose
the Applications option. You should now be able to see the Client ID for your application, and you can click on the generate a new secret option to get the Client Secret, which is shown in the following figure
Getting the Client ID and Client Secret from Imgur
The Scope field is used if the token should have limited abilities and State is an additional security measure that some APIs have. You don't need to worry about either of those with the Imgur API.
Settings for getting an OAuth 2.0 access token in Postman
Using Digest auth and Hawk Authentication
These are older authentication standards that few modern APIs use.
The Hawk authentication scheme is meant to solve similar problems to the OAuth2.0 standards.
It is not used much, even though it is used some API’s .
Now a days most of the API’s are using oauth2.
It helps to make more secure to use a username and password, If you’re sending your data over an unencrypted connection.
Since most of the sites have encrypted connections ,It doesn’t have much value in modern API ecosystem.
Using NTLM Authentication
NTLM stands for New Technology LAN Manager , and it is a set of security protocols that windows uses to provide authentication to users .
It can be used in APIs to allow user access to resources on the API based on their current windows login information.
As we are using login credentials ,once has to be careful about sharing collections or requests. Make sure to protect them carefully.
Using Akamai EdgeGrid
Akamai Technologies is a global cloud services company .They have a variety of services and many of those services are supported by API’s .They have their unique way of authenticating applications with in their network and have created.
You can check out Akamai developer documentation for more details.
DONE IN A GROUP(SDET16-SUBASHINI,SUKANYA,SRUJNA,AMUTHA,SUBATHRA)