Understanding Authentication vs Authorization
Security is a very critical component for APIs. New security issues and vulnerabilities are always being discovered, and it’s important to protect the APIs from attacks. A security breach can lead to loss of critical data as well as revenue. To ensure an application is secure, there are many things engineers tend to do.
This includes input validation, using the Secure Sockets Layer (SSL) protocol everywhere, validating content types, maintaining audit logs, and protecting against cross-site request forgery (CSRF) and cross-site scripting (XSS).
All of these are important for any web application and authentication and authorization are two foundation elements of security.
What exactly authentication and authorization are?
Authentication is the process of verifying who you are. Web applications usually accomplish this by asking you to log in with a username and password.
This combination is used to checked against an existing valid username/password record to ensure the request is authentic.
Authorization is the process of verifying what you are permitted to do and what you are trying to do.
For instance, a web application might allow you to view a page but, it might not allow you to edit that page unless you are an administrator. That’s an authorization.
As you design an API, you need to think about how app developers will perform both authentication and authorization with your API.
In the early days, API providers started supporting Basic Authentication. It’s the simplest technique used to access control on the web. The clients send HTTP requests with an Authorization header which consists of the word “Basic” followed by a space and a string generated by combining username and password with a colon (user name: password) and encoding it with base64; for example Authorization: Basic dXNlcjpwYXGHGHGHNzd29yZA==
Although Basic Authentication is simple, it offers less security. If you use Basic Authentication for your API, to use a third-party developer’s application, your users might need to share their username and password credentials with them.
That has several disadvantages of using the basic authentication:
- Applications are required to store these credentials in clear text or in a way that they can decrypt them. If an application exposed the credentials via a bug or other means, that might leak private user data to a hacker. Considering many people use the same password across multiple services, the data loss impact on users could be serious.
- Users cannot revoke access to a single application without revoking access to all the applications by changing the password.
- Applications get full access to user accounts. Users cannot limit access to selected resources.
Therefore, it’s very important to secure your APIs and understand which solution will work best for your customers, which will help you meet your business goals.
