We live in an era where digital data is becoming an increasingly valuable asset, and with that comes the need for privacy and security. Authorization and authentication are two essential security measures that enable us to protect our data and ensure that only authorized individuals have access to it. In this article, we’ll discuss why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application.
What is Authorization and Authentication?
Authorization and authentication are two distinct concepts in computer security.
Authorization is the process of determining whether an individual has permission to access a system or resource. API authorization guarantees that client requests have secure access to data. This may entail verifying the identity of the request's originator and that they are authorised to view or alter the pertinent data. There are many different auth models available if you're constructing an API. If you're integrating a third-party API, the API provider will outline the necessary authorization.
Authentication involves verifying the identity of an individual or system to ensure that they are who they claim to be. Authorization and authentication work together to provide a secure environment for protecting data, ensuring that only authorized individuals can access it. A question occurs: How can servers identify who can access what they claim to be? Authentication is used as a stamp for clients to gain access to server resources through API.
Types of Authorization and Authentication
There are several types of authorization and authentication methods that can be used to protect data. The most common types are:
1. OAuth Access Token are used to authorize requests for limited access to a user’s data. The access token is issued to the user after they have authenticated with the service and is used to access protected resources. OAuth can be more complex to implement, but it provides a higher level of security and is widely supported by APIs.
2. API Key is a unique identifier that is used to authorize requests to an API. It is typically used to protect sensitive data and prevent unauthorized access. When performing API requests, a client must supply an API key as a token. The query string can contain the key.
3. HTTP Basic Authentication. This type of authentication is used to protect web applications and web services. It requires users to provide a username and password to access the application. It is simple to implement, but it is not very secure because the credentials are sent in plain text.
4. HMAC: Hash-based Message Authentication Code is a digital signature method made to reuse message digest algorithms like SHA-1 and MD5, as well as to offer a reliable data integrity protocol mechanism. HMAC has been chosen as a required security implementation for the internet protocol, or IP, since it is used to encrypt plain text securely in the Secure Socket Layer protocol and SSL certificate.
5. User Authentication. This is the most basic form of authentication, where users must provide a username and password to access a system or resource. This type of authentication is typically used to protect web applications, online accounts, and other sensitive data.
6. OAuth 1.0 and 2.0 is a way for a client application to access data from a third-party API, such as a service provider, on behalf of a user. This allows the user to grant the client application access to their data without having to share their login credentials, such as their username and password. To do this, the client application first needs to obtain an access token from the API. This access token is then used to authenticate future requests made by the client application to the API.
7. Authorization code grant type is used when the client application cannot securely store the client secret, or when the authorization code will be exchanged for an access token on a different device or system than the one that originally made the request.
8. AWS Signature is a way of authenticating requests made to Amazon Web Services (AWS) APIs. It is used to ensure that requests made to AWS APIs are authorized and authenticated and that the request can be traced back to the user who made it.
How Authorization and Authentication Work in the API Tester App
The API Tester mobile application is an easy-to-use free tool for testing and debugging APIs. It supports any type of API including REST, GraphQL, WebSocket, SOAP, JSON RPC, XML, HTTP, HTTPS. You can enter Auth details in the request setting tab. The data in the API that is required for Auth, can be in the header and body. The API tester can automatically detect and respond back with the chosen type of method. Variables and collections are used to determine Auth with safety and security.
API Tester mobile app provides a secure environment for testing APIs and includes several authentication methods to help protect sensitive data: User Authentication, OAuth Access Token, API Key, HTTP Basic Authentication.
How to Test Authentication and Authorization using API Tester App.
For the explanation of Authentication, let’s use the GitHub API to get users’ information. It provides us with real-time data.
First, you need to click on “Create new request” or the the + button in the top right corner to start a Graph QL request.
You can easily see the Graph QL option in the new tab under Other features. Clicking on it will take you to further options.
On the next screen, you can see an untitled GraphQL request. You need to provide the API URL and paste it into the section starting with HTTPS. In our case, this URL will be used: https://api.github.com/graphql.
The Github API requires authentication. In the Headers sections, you can see the OAuth option, so you need to provide the access token here.
Let me show you how to generate an Authentication token, just follow these steps:
1) Log in to your GitHub account and go to the "Settings" page.
2) On the "Settings" page, click on the "Developer Settings" tab.
3) Under the "Personal access tokens" section, click on generate new token (classic).
4) In the "Note" field, enter a name for your token (e.g., "My token"). This will help you remember what the token is for.
5) Select the scope(s) for your token. The scope determines what the token is allowed to access. You can select one or more of the available options, depending on your needs.
6) Click on the "Generate token" button to create the token.
7) Copy the token to your clipboard. It will not be shown again, so make sure to save it in a secure location.
That's it! You can now use the personal access token to authenticate with the GitHub API or to perform actions on your account using the command line. Keep in mind that personal access tokens are like passwords, so you should treat them with the same level of security.
Now we have to go to the Body section and specify a query to get your specific type of data. For example, let’s get the id information of a Github account. So, the corresponding Query using the Github login is written in the body tab, as you can see in the screenshot below.
{
user(login:"mariamarshmallow")
{
login
id
}
}
After the Authentication Github will send a 200 Response code that will have information about the user, username and id. The scope of the token you have given access to is known as Authorization.
Basic Authentication
Basic authentication is often used in conjunction with the HTTP protocol, which is the foundation of the World Wide Web. When a client makes a request to a server, the server sends back a response that includes a header field containing an authentication challenge. The client then sends a second request that includes a header field containing the user name and password, encoded in base64. The server checks the credentials and, if they are valid, sends back a response containing the requested resources.
To test basic authentication, let’s use the Postman API with this URL: https://postman-echo.com/basic-auth. This is an open API that uses “username” and “password”.
Open the API Tester app, create a new GET Request, and paste the URL above.
Next in the Auth section, enter the username and password of the API for authentication.
Once you click on the blue play button, you can see the response screen with the 200 response code “Authenticated”.
If you do not enter authentication details, on the response page a message appears with the response code of 401 “Restricted”.
This is how we can test API with basic Authentication using the API Tester mobile App.
API Key Authentication
It is a way for the server to recognize and authorize the client to access the API resources.
To use API key authentication, the client must send the API key in the request header or as a query parameter. The server will then validate the API key and, if it is valid, allow the client to access the API resources.
Sign up for an API key from the API provider. In your API request, add the API key as a query parameter or in the request header. Make the API request using the API Tester app. The server will validate the API key and, if it is valid, allow the client to access the API resources.
Here is an example of how to use API key authentication in a GET request using the API Tester app.
Create a new GET Request and enter the API URL in the request box (e.g., "https://api.thecatapi.com"). In the Query section, add the limit parameter and the API key parameter (e.g. "limit=10&api_key=YOUR_API_KEY").
Click the "Play" button to send the request. If the API key is valid, you will receive a response with the requested information.
It is important to keep your API key secret and secure, as it allows access to the API resources.
Make sure to use it only in trusted environments and do not share it with others.
Conclusion
Authorization and authentication are crucial security measures that allow us to protect our data and ensure that only authorized individuals have access to it. In this article, we discussed why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application. By implementing effective authorization and authentication measures, we can safeguard our data and prevent unauthorized access. It is important to regularly review and update our security measures to ensure that they remain effective and protect our data from potential threats.
Thanks for reading! I hope you found this article helpful. Feel free to leave any questions, comments, or suggestions.
Btw, you can support my work by buying me a coffee! I'll leave here a few links for you:)
You can also support me on Coinbase
Top comments (19)
We need authentication and authorization because human beings are lying, devious, thieving, dishonest c*nts. Infants, really, who can't be trusted. Ever.
And our refusal to embrace adulthood and maturity -- ever -- costs us trillions upon trillions of dollars every year and untold suffering, death, and destruction.
All because we just won't grow the f*ck up.
That's why we need authentication and authorization. Just think of how much easier and nicer everything would be if we just did the right thing. Ha, ha. But noooo.
Yes, unfortunately there are many dishonest people in the world. I'm not talking about real life yet, but on the Internet every second link is a scam.
I hope you never had any unpleasant situations related to this 🤗
I've never been scammed (I'm careful), but I started my career around the time things really started to take off: 1995. Spam was something you encountered on Usenet newsgroups. I thought it was dumb, but it didn't really bother me until my email inbox started filling up with hundreds or thousands of messages offering me penis-enlarging pills (or breast-enlarging), get-rich-quick schemes, herbal "remedies", etc.
Many of these early spam were incredibly vile and rude, and I was outraged that these sociopaths could so easily invade my inbox and ruin my email experience. Back then there was still some expectation that others would treat you with respect. You had to go looking for trouble. Now suddenly it came looking for you.
And then the Nigerian scams started and the phishing and all the rest. Until spam filters were invented, I often got so angry that I simply logged off and did something else until I cooled down. I spent at least a year really angry.
This was before GMail and even before Hotmail was popular. Hell, it was before Google. But it was a horrible experience and it really destroyed my opinion of humanity (which wasn't that high to begin with). The worst part is that all of this could have been solved easily by making spam illegal, and then tracking down and imprisoning repeat offenders. They always leave a trail.
But a lot of people were making money off of spam (and still do) -- not just the spammers but those who hired them -- and off the traffic, and off anti-spam products, etc., so there was little impetus to fix the problem. As always, the real problem is not the small number of evildoers, but the huge number of those who simply go along, look the other way, or try to profit off of it.
I still get regular spam that gets by the filters -- and how many potentially important emails have I missed because they went to the spam bin? Have I lost job opportunities? Romance opportunities? Things that might have changed my life for the better?
And we haven't even touched on viruses, Trojan horses, blackmail, extortion, porn and revenge porn, etc.
Oh, and, of course, the global surveillance state...
You wrote a whole post heh 😛
I think this is the same global problem along with bloated code that I reviewed on my blog earlier. It would be great if we raise such topics more often.
You bring up a really important field of practice for all IT professionals; security. Authorization and authentication are security tools that the Internet depends on. And it's our job, as Developers, to understand how to best utilize all of this. Thank you for your article, as well as the clean graphics.
Thank you Bret! 🥰 I hope someone will be more careful now 🛡
Cool article, thanks
🤗🌈
Very informative post!
Thanks 🥰
This is a very important topic, in the modern world we all need to think about digital security first.
Thank you ❤️
It's a really important thing 🤔
Really informative content, it helps me understand the core principles of authorization and authentication, thank you!
Thank you Kevin, my pleasure 🥰
This is quite an interesting article. Auth is an important step to prevent security issues, thanks for the reminder.
Glad you liked it, take care of yourself ⚔️
Thanks for sharing the article,
Even in web API testing using Postman, we indeed use the same concepts/types of Authorization and Authentication!
I'm glad to help, thank you for your interest!💖