APIs are meant to be interacted with programmatically and it allows all kinds of powerful interactions. Security is important at every level of applications but APIs are one of the most important places to apply it. In this blog we can see some strategies that make API’s more secure using POSTMAN. Postman is the tool that allows APIs to work with more authorization options making it more secure.
Understanding API security
Before we get into the different ways to authorize an API using POSTMAN, we should know the two important terminologies.
Authorization
Authentication
Authorization
Authorization is how we determine which things you have been given permission (are authorized) to do. Authorization is a very important aspect of API security. Just because an API requires a username and password to use it, does not necessarily mean that it is well secured. After authenticating we should check on the permission or access levels that the specified user is an authorized user to access the correct set of resources.
Authentication
Authentication is about determining whether you really are that kind of user. In other words, are you who you say you are. We need to have some way to verify that the user is an authenticated user.
API security in postman
By knowing the difference between the terms Authorization and Authentication, we will go through here the different options that Postman uses to promote the API security. Postman combines both the concepts and uses as one terminology called “Authorization". This is what all about this blog “Authorization Options”.
Getting started with authorization in Postman
Authorization details can be set directly on the Authorization tab of a request. In order to do that, do the following:
1. Navigate to a request through the Collections tab in the navigation panel.
2. Open the request by clicking on it and you will see an Authorization tab.
3. Click on that and you will see a dropdown where you can specify the type of authorization that your API uses. If you click on that dropdown, you will see that there are a number of options available.
As you can see in the following screenshot, Postman has many authorization options:
Inherit auth from parent:
This is the powerful authorization method, also easier method to handle API.If the API is an authorized enabled one then we need to authorize at each endpoint of the API.If a collection has set of requests, then each time, we need to auth for every request we access. Instead of specifying individually at each request level we can specify the login information in one place at collection level rather than repeating it for each request. Then for any number of requests we can choose inherit auth from parent as option. To change this for an individual request, make a different selection in the request Authorization tab.
No auth:
Postman won't send authorization details with a request unless you specify an auth type. If your request doesn't require authorization, select No Auth from the Authorization tab Type dropdown list.
Basic Auth:
Basic Auth is probably the simplest form of API authorization. It works in a similar way to how you log into a website. With basic auth you simply need to provide a username and password. In order to use basic auth in Postman you will of course need an API that supports this type of authentication as well as a username and password that will give you access to the API. In the request Headers, the Authorization header passes the API a Base64 encoded string representing your username and password values, appended to the text Basic as follows:
Bearer Tokens:
Bearer tokens are a common way to set up API authorization. They contain both authentication and authorization within them. We can use GitHub account to understand the bearer tokens authorization option:
1. If you have a GitHub account, log into it.
2. Under Settings, go to Developer settings.
3. In there, you can choose the personal access tokens option. Here, you can select scopes for this token. The scopes allow you to control what things the user of this token can do and then generate a token.
In order to use a token like this in Postman, you just need to select the Bearer Token option from the Type dropdown, and then type or paste in your token. If you look at the Headers tab for that request, you will see that Postman has added an Authorization header for you. You can also see that the value for this token starts with Bearer, which lets the server know that you are using an API token to authorize your request.
API key:
API keys can be used in a variety of different ways for authorization purpose. With API key auth, you send a key-value pair to the API either in the request headers or query parameters.
• Go to the Authorization tab of a request in Postman.
• Choose the API Key option from the Type dropdown. You will be presented with a few options.
• Click on the Add to option, which will give you a drop-down choice between adding your API key to the Header or adding it to the Query Param.
Postman will append the relevant information to your request Header or the URL query string.
AWS Signature:
Cloud computing is emerging and most of the companies using cloud services.A lot of cloud computing systems and resources can be interacted via APIs, which need to be authorized. Postman provides an AWS Signature authorization option to help with authorizing AWS APIs.AWS Signature option is just another way to specify an API key.You specify the Access Key and the Secret Key, which are a lot like the key and the value for the API keys option. You can also specify whether the data gets passed in as a header or a query.You can optionally set advanced fields, but Postman will autogenerate these if necessary.
The AWS Signature parameters are as follows:
AWS Region - The region receiving the request (defaults to us-east-1).
Service Name - The service receiving the request.
Session Token - Required only when using temporary security credentials.
OAuth:
The first thing to know about OAuth authorization is primarily about the delegation of that authorization. What does that mean? Well, imagine that you are checking into a hotel. In order to get into one of the rooms, you go to the front desk and request access to a room. The clerk verifies that you can have access to that room, perhaps by swiping your credit card, and then hands you a key card that you can use to get into that room.
Now instead of imagining yourself trying to get access to a room, imagine you want to play a game that needs access to some of your user data from Facebook. In the hotel scenario, you requested access to a hotel room and in this scenario, the game (or, more generically, the application), asks the authorization server for access to the data that it needs.
In an OAuth workflow, the authorization server will prompt the user to see if the application should be allowed to have the access it wants. If you approve that access, the authorization server will then give the application a token that will give it access to the data it has requested access to.
A hotel gives you a key card that will open your room for you. An authorization server gives the application a token that it can be then used to access the data that it needs from the resource server.
Though OAuth work flow looks complex it has few benefits as well. It allows a third-party application to access some of your data without that application needing to be trusted with your password. Many of the big tech companies, such as Twitter, Facebook, and Google, allow you to use your accounts with them to log into other applications. OAuth isn't simple to use, but it is supported by Postman and is a powerful and common authorization option.
Setting up OAuth 2.0 in Postman:
The workflow described previously is an OAuth 2 workflow. There are several slightly different flows that can be used with OAuth depending on what kind of application it is. The exact steps that you will need to use will vary a bit from application to application.
Lets understand the flow of Setting up OAuth 2.0 using the following link https:// imgur.com/
• Before working with the postman tool, create signup for the account in the above link.
• Create a new collection named imgur
• Then create a get request in the postman tool using endpoint
• Send the request and you will notice that you get back a 401 Unauthorized error.
• In order to successfully call this endpoint, we need to get an authorization token.
• To get this token with the Imgur API, we need to use OAuth.
• Before you can set up an OAuth login, we need an application for it to log into.
• Let's take a look at how to register an application.
Register an application:
Imgur makes it quite easy to create an application. Simply go to
https://api.imgur. com/oauth2/addclient.Login and fill out the information in the form.
The callback URL is the spot users of the application you are creating will be redirected to if they successfully authorize. In this case, we don't have an actual callback URL that we want to redirect users to, but we can use a dummy URL that Postman provides for this purpose:
https://www.getpostman.com/oauth2/callback. Type or paste this URL into the Authorization callback URL field and then add in your email and description if you want and click on the Submit button to create your Imgur application.At this point, you may want to copy the client ID and secret as we will use them later. Make sure to keep them somewhere safe though.
Getting an OAuth 2 access token:
• Let’s go back to the postman tool where we are working on the request to get the images from our account from the endpoint. Create a get request using the following endpoint
• Select type OAuth 2.0 under authorization type drop down.
• Now remember the OAuth workflow.
• First application needs to go to authorization server for a token
• Authorization server verifies the user and sends the token to the callback URL.
• Postman does these steps automatically in the background.
• Then click on Get New Access Token button.
You can then click on Use Token to tell Postman to add the access token to the appropriate field.
Now, if you send your request again, you should get back information about all the images that are associated with your account. If you just created your account, you might not have any images associated with your account, but you should still get back an empty list and the call should return a 200 OK status code.
As we discussed earlier though implementing OAuth 2.0 looks complicated, postman does offer help in getting the access token. Each API going to be different but still we have all the needed details in the API documentation, still we need to figure out the client id and secret. Once you have all that information, we should be able to set up an access token in Postman.
OAuth 1.0:
Let’s see something about OAuth 1.0. Almost all APIs that use OAuth now use OAuth 2.0. Though OAuth 1.0 has same ideas, groundwork for workflow as same as OAuth 2.0, it has several limitations so it’s not used much anymore. If we want to test API’s which uses OAuth 1.0, postman still supports this version so we can do it using postman tool. This documentation helps us to get started with it.
(https://learning.postman.com/ docs/sending-requests/authorization/#oauth-10).
Digest auth and Hawk authentication:
Postman provides authorization options for setting up Digest and Hawk auth. These are older authentication standards that few modern APIs use. The Hawk authentication scheme is meant to solve similar problems to the OAuth 2.0 standard, still it did not get popular. Most new APIs will use OAuth 2.0 instead. Digest authentication uses secure kind of username and password if you're sending your data over an unencrypted connection. Still, it has its downfall and don’t have more value in modern API’s which use encrypted connection. These two are not commonly used but still it is in postman for historical reason than anything else.
NTLM authentication:
Windows Challenge/Response (NTLM) is the authorization flow for the Windows operating system and for standalone systems.
In the Authorization tab for a request, select NTLM Authentication from the Type dropdown list.
Enter your Username and Password for NTLM access (use variables to avoid entering the values directly). You can optionally specify advanced parameters, but Postman will attempt to autocomplete these if necessary. By default, your request will run a second time after extracting data received from the first. You can turn off this behavior by checking the checkbox.
Advanced parameters for NTLM auth are as follows:
Domain - The domain or host to authenticate against.
Workstation - The hostname of the PC.
Akamai EdgeGrid:
Akamai EdgeGrid is an authorization helper developed and used by Akamai.
1. In the Authorization tab for a request, select Akamai EdgeGrid from the Type dropdown list.
2. Enter your Access Token, Client Token, and Client Secret, using variables for additional security—you will receive these details when you register a client application with Akamai.
When the required details are complete in the Authorization tab for your request, Postman will add them to the Headers.
if you need more information, you can check out the Akamai developer, (https://developer.akamai.com/legacy/introduction// Prov_Creds.html).
Conclusion:
Security is a complex and important topic and understanding how to work with it is an important part of API testing. Postman has a lot of different authorization options. You may not have needed to carefully study each of them, but hopefully whichever option your API uses, you will be able to get started with it.We now have an idea about all authorization options.You also now understand how OAuth workflows work and how you can use them in Postman. Knowing how to log into an API so that you can make the calls you want is important, but don't forget that APIs are one of the most common places that attackers target when they are trying to break into a system.