Most used authentication methods for API

The most common authentication methods used to secure REST APIs are:

• Basic authentication: This is the simplest form of authentication and uses a username and password to authenticate users. The username and password are encoded in Base64 and sent in the HTTP header.
• Api keys: API keys are secret tokens that are used to authenticate users or applications. API keys are typically longer and more complex than passwords, making them more secure.
• OAuth 2.0: OAuth 2.0 is an authorization framework that allows third-party applications to access protected resources on behalf of a user. OAuth 2.0 is more complex than basic authentication and API keys, but is also more secure.
• JSON Web Tokens (JWTs): JWTs are a type of token than can be used to authenticate users or applications. JWT are typically signed or encrypted, making them more secure than basic authentication and API keys.

The best authentication method for a REST API depends on specific needs of the application. Basic authentication is good option for simple APIs that do not require a high level of security. API keys are a good opinion for APIs that need to be more secure. OAuth 2.0 is good option for APIs that need to be very secure and allow third-party applications to access protected resources. JWTs are good option for APIs that need to be very secure and portable.

Table of pros and cons of each authentication method

Ultimately, the best way to secure a REST API is to use a combination of authentication methods. For example, you could use basic authentication for simple requests and OAuth 2.0 for more complex requests. By using a combination of authentication methods, you can improve the security of your REST API and protect your data from unauthorized access.

Different between authentication and authorization

• Authentication: is process of verifying the identity of a user or service. This is typically done requiring the user to provide something they know (password), something they have (security token) or something they are (fingerprint).
• Authorization: is process of determining what resources a user or service is allowed to access. This is typically done assigning permissions to users or groups of users.

Basic authentication

Basic authentication is a simple authentication scheme that is build into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the basic word followed by a space and base64-encoded username:password string.

Example

GET /index.html HTTP/1.1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=

The base64-encoded username:password string is decoded by the server, and the username and password are compared to the credentials stored in the servers database. It the username and password match, the server grants the client access to the requested resources.

Steps of authentication

Basic authentication flow

1. The client sends a request to the server.
2. The server challenges the client for authentication.
3. The client sends the username and password in base64 encoding.
4. The server decodes the username and password and compares them to the credentials stored in the database.
5. If the username and password match, the server grants the client access to the requested resources.
6. If the username and password do not match, the server denies the client access to the requested resource.

Basic authentication is a simple and easy to implement authentication scheme. However, it is not very secure the username and password are sent in clear text over the network. This make it is possible for attackers to intercept the credentials and gain unauthorized access to the system.

To improve the security of basic authentication, you can use a secure transport protocol, such as HTTP, to encrypt the username and password before they are sent over the network.

OAuth 2.0

OAuth (Open Authorization) is an open standard authorization framework for token-based authorization on the internet. OAuth, which is pronounced “oh-auth” enables an end users account information to be used by third party services, such as Facebook and Google, without exposing the user account credentials to the third party. It acts as an intermediary on behalf of the end user, providing the third-party service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called an authorization flow.

Steps of authentication

OAuth 2.0 authorization code flow

1. The client (web application) request authorization from the resource owner (user). The client redirects the resource owner to the authorization server (example Google) with the client ID, redirect URI, and scope of authorization being requested.
2. The authorization server authenticates the resource owner and asks them to grant or deny the client request. If the resource owner grants the request, the authorization server redirects the resource owner back to the client with an authorization code.
3. The client exchange the authorization code for an access token from the authorization server. The client sends the authorization code to the authorization server along with its client ID and secret. The authorization server verifies clients credentials and issues an access token.
4. The client uses the access token to access the resource server. The client sends access token to the resource server along with its request. The resource server verifies the access token and grants the client access to the requested resource.

JWT

JWT or JSON Web Token, is an open standard used to share security information between two parties — a client and server. Each JWT contains encoded JSON objects, including a set of claims. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.

Steps of authentication

JWT authentication

1. The client sends username/password to the server by POST method.
2. The server checks username/password and if the are valid, creates an encrypted token , which the only server can read and understand.
3. Server sends token back to client through response. Client savers this token in local storage or some variable.
4. With each further request, client sends this token as header.
5. Server examines and validates this token, gets require info from this token like user-id and respond to the user appropriately if valid. Token may also contain expiry date/time, so after certain time, the server may choose to refuse to serve a client.

Notes:

• Server takes into account various fields (also known as “Claims”) like “iss” (token issuer) and “Sub” (Subject of token), whole list here.
• We can custom fields like user-id which can be used later while validating token.

Summary

Authentication: is process of verifying the identity of a user or service. Here’s a beginner-friendly overview type of authentication used for REST API, article contains description how work basic authentication, Oath 2.0 and JWT.

Resources

• HTTP authentication — mozilla.org
• OAuth — techtarget.com
• API Gateway OAuth 2.0 Authentication Flows — oracle.com
• What Is JWT? — akana.com
• How to use a JWT token as login validation? — stackoverflow.com