DEV Community

Cover image for Why Do We Need Authorization and Authentication? 🔑
Maria 🍦 Marshmallow
Maria 🍦 Marshmallow

Posted on • Updated on

Why Do We Need Authorization and Authentication? 🔑

We live in an era where digital data is becoming an increasingly valuable asset, and with that comes the need for privacy and security. Authorization and authentication are two essential security measures that enable us to protect our data and ensure that only authorized individuals have access to it. In this article, we’ll discuss why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application.

What is Authorization and Authentication?

Authorization and authentication are two distinct concepts in computer security.

Authorization is the process of determining whether an individual has permission to access a system or resource. API authorization guarantees that client requests have secure access to data. This may entail verifying the identity of the request's originator and that they are authorised to view or alter the pertinent data. There are many different auth models available if you're constructing an API. If you're integrating a third-party API, the API provider will outline the necessary authorization.

Authentication involves verifying the identity of an individual or system to ensure that they are who they claim to be. Authorization and authentication work together to provide a secure environment for protecting data, ensuring that only authorized individuals can access it. A question occurs: How can servers identify who can access what they claim to be? Authentication is used as a stamp for clients to gain access to server resources through API.

Types of Authorization and Authentication

There are several types of authorization and authentication methods that can be used to protect data. The most common types are:

1. OAuth Access Token are used to authorize requests for limited access to a user’s data. The access token is issued to the user after they have authenticated with the service and is used to access protected resources. OAuth can be more complex to implement, but it provides a higher level of security and is widely supported by APIs.

2. API Key is a unique identifier that is used to authorize requests to an API. It is typically used to protect sensitive data and prevent unauthorized access. When performing API requests, a client must supply an API key as a token. The query string can contain the key.

3. HTTP Basic Authentication. This type of authentication is used to protect web applications and web services. It requires users to provide a username and password to access the application. It is simple to implement, but it is not very secure because the credentials are sent in plain text.

4. HMAC: Hash-based Message Authentication Code is a digital signature method made to reuse message digest algorithms like SHA-1 and MD5, as well as to offer a reliable data integrity protocol mechanism. HMAC has been chosen as a required security implementation for the internet protocol, or IP, since it is used to encrypt plain text securely in the Secure Socket Layer protocol and SSL certificate.

5. User Authentication. This is the most basic form of authentication, where users must provide a username and password to access a system or resource. This type of authentication is typically used to protect web applications, online accounts, and other sensitive data.

6. OAuth 1.0 and 2.0 is a way for a client application to access data from a third-party API, such as a service provider, on behalf of a user. This allows the user to grant the client application access to their data without having to share their login credentials, such as their username and password. To do this, the client application first needs to obtain an access token from the API. This access token is then used to authenticate future requests made by the client application to the API.

7. Authorization code grant type is used when the client application cannot securely store the client secret, or when the authorization code will be exchanged for an access token on a different device or system than the one that originally made the request.

8. AWS Signature is a way of authenticating requests made to Amazon Web Services (AWS) APIs. It is used to ensure that requests made to AWS APIs are authorized and authenticated and that the request can be traced back to the user who made it.

How Authorization and Authentication Work in the API Tester App

The API Tester mobile application is an easy-to-use free tool for testing and debugging APIs. It supports any type of API including REST, GraphQL, WebSocket, SOAP, JSON RPC, XML, HTTP, HTTPS. You can enter Auth details in the request setting tab. The data in the API that is required for Auth, can be in the header and body. The API tester can automatically detect and respond back with the chosen type of method. Variables and collections are used to determine Auth with safety and security.

API Tester mobile app provides a secure environment for testing APIs and includes several authentication methods to help protect sensitive data: User Authentication, OAuth Access Token, API Key, HTTP Basic Authentication.

How to Test Authentication and Authorization using API Tester App.

For the explanation of Authentication, let’s use the GitHub API to get users’ information. It provides us with real-time data.

First, you need to click on “Create new request” or the the + button in the top right corner to start a Graph QL request.

Image description

You can easily see the Graph QL option in the new tab under Other features. Clicking on it will take you to further options.

Image description

On the next screen, you can see an untitled GraphQL request. You need to provide the API URL and paste it into the section starting with HTTPS. In our case, this URL will be used: https://api.github.com/graphql.

Image description

The Github API requires authentication. In the Headers sections, you can see the OAuth option, so you need to provide the access token here.

Image description

Let me show you how to generate an Authentication token, just follow these steps:

1) Log in to your GitHub account and go to the "Settings" page.

Image description

2) On the "Settings" page, click on the "Developer Settings" tab.

Image description

3) Under the "Personal access tokens" section, click on generate new token (classic).

4) In the "Note" field, enter a name for your token (e.g., "My token"). This will help you remember what the token is for.

Image description

5) Select the scope(s) for your token. The scope determines what the token is allowed to access. You can select one or more of the available options, depending on your needs.
6) Click on the "Generate token" button to create the token.
7) Copy the token to your clipboard. It will not be shown again, so make sure to save it in a secure location.

Image description

That's it! You can now use the personal access token to authenticate with the GitHub API or to perform actions on your account using the command line. Keep in mind that personal access tokens are like passwords, so you should treat them with the same level of security.

Now we have to go to the Body section and specify a query to get your specific type of data. For example, let’s get the id information of a Github account. So, the corresponding Query using the Github login is written in the body tab, as you can see in the screenshot below.

{
  user(login:"mariamarshmallow")
  {
  login
  id
  }
}
Enter fullscreen mode Exit fullscreen mode

Image description

After the Authentication Github will send a 200 Response code that will have information about the user, username and id. The scope of the token you have given access to is known as Authorization.

Image description

Basic Authentication

Basic authentication is often used in conjunction with the HTTP protocol, which is the foundation of the World Wide Web. When a client makes a request to a server, the server sends back a response that includes a header field containing an authentication challenge. The client then sends a second request that includes a header field containing the user name and password, encoded in base64. The server checks the credentials and, if they are valid, sends back a response containing the requested resources.

To test basic authentication, let’s use the Postman API with this URL: https://postman-echo.com/basic-auth. This is an open API that uses “username” and “password”.
Open the API Tester app, create a new GET Request, and paste the URL above.

Image description

Next in the Auth section, enter the username and password of the API for authentication.

Image description

Once you click on the blue play button, you can see the response screen with the 200 response code “Authenticated”.

Image description

If you do not enter authentication details, on the response page a message appears with the response code of 401 “Restricted”.

Image description

This is how we can test API with basic Authentication using the API Tester mobile App.

API Key Authentication

It is a way for the server to recognize and authorize the client to access the API resources.

To use API key authentication, the client must send the API key in the request header or as a query parameter. The server will then validate the API key and, if it is valid, allow the client to access the API resources.

Sign up for an API key from the API provider. In your API request, add the API key as a query parameter or in the request header. Make the API request using the API Tester app. The server will validate the API key and, if it is valid, allow the client to access the API resources.

Here is an example of how to use API key authentication in a GET request using the API Tester app.

Create a new GET Request and enter the API URL in the request box (e.g., "https://api.thecatapi.com"). In the Query section, add the limit parameter and the API key parameter (e.g. "limit=10&api_key=YOUR_API_KEY").

Image description

Click the "Play" button to send the request. If the API key is valid, you will receive a response with the requested information.

Image description

It is important to keep your API key secret and secure, as it allows access to the API resources.
Make sure to use it only in trusted environments and do not share it with others.

Conclusion

Authorization and authentication are crucial security measures that allow us to protect our data and ensure that only authorized individuals have access to it. In this article, we discussed why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application. By implementing effective authorization and authentication measures, we can safeguard our data and prevent unauthorized access. It is important to regularly review and update our security measures to ensure that they remain effective and protect our data from potential threats.

Thanks for reading! I hope you found this article helpful. Feel free to leave any questions, comments, or suggestions.

Btw, you can support my work by buying me a coffee! I'll leave here a few links for you:)

Buy Me a Coffee at ko-fi.com

You can also support me on Coinbase

Top comments (19)

Collapse
 
chasm profile image
Charles F. Munat

We need authentication and authorization because human beings are lying, devious, thieving, dishonest c*nts. Infants, really, who can't be trusted. Ever.

And our refusal to embrace adulthood and maturity -- ever -- costs us trillions upon trillions of dollars every year and untold suffering, death, and destruction.

All because we just won't grow the f*ck up.

That's why we need authentication and authorization. Just think of how much easier and nicer everything would be if we just did the right thing. Ha, ha. But noooo.

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

Yes, unfortunately there are many dishonest people in the world. I'm not talking about real life yet, but on the Internet every second link is a scam.
I hope you never had any unpleasant situations related to this 🤗

Collapse
 
chasm profile image
Charles F. Munat

I've never been scammed (I'm careful), but I started my career around the time things really started to take off: 1995. Spam was something you encountered on Usenet newsgroups. I thought it was dumb, but it didn't really bother me until my email inbox started filling up with hundreds or thousands of messages offering me penis-enlarging pills (or breast-enlarging), get-rich-quick schemes, herbal "remedies", etc.

Many of these early spam were incredibly vile and rude, and I was outraged that these sociopaths could so easily invade my inbox and ruin my email experience. Back then there was still some expectation that others would treat you with respect. You had to go looking for trouble. Now suddenly it came looking for you.

And then the Nigerian scams started and the phishing and all the rest. Until spam filters were invented, I often got so angry that I simply logged off and did something else until I cooled down. I spent at least a year really angry.

This was before GMail and even before Hotmail was popular. Hell, it was before Google. But it was a horrible experience and it really destroyed my opinion of humanity (which wasn't that high to begin with). The worst part is that all of this could have been solved easily by making spam illegal, and then tracking down and imprisoning repeat offenders. They always leave a trail.

But a lot of people were making money off of spam (and still do) -- not just the spammers but those who hired them -- and off the traffic, and off anti-spam products, etc., so there was little impetus to fix the problem. As always, the real problem is not the small number of evildoers, but the huge number of those who simply go along, look the other way, or try to profit off of it.

I still get regular spam that gets by the filters -- and how many potentially important emails have I missed because they went to the spam bin? Have I lost job opportunities? Romance opportunities? Things that might have changed my life for the better?

And we haven't even touched on viruses, Trojan horses, blackmail, extortion, porn and revenge porn, etc.

Thread Thread
 
chasm profile image
Charles F. Munat

Oh, and, of course, the global surveillance state...

Thread Thread
 
mariamarsh profile image
Maria 🍦 Marshmallow

You wrote a whole post heh 😛
I think this is the same global problem along with bloated code that I reviewed on my blog earlier. It would be great if we raise such topics more often.

Collapse
 
bretbernhoft profile image
Bret Bernhoft

You bring up a really important field of practice for all IT professionals; security. Authorization and authentication are security tools that the Internet depends on. And it's our job, as Developers, to understand how to best utilize all of this. Thank you for your article, as well as the clean graphics.

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow • Edited

Thank you Bret! 🥰 I hope someone will be more careful now 🛡

Collapse
 
frederickprice profile image
Frederick Price

Cool article, thanks

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

🤗🌈

Collapse
 
phophogr profile image
Phoebe Green

Very informative post!

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

Thanks 🥰

Collapse
 
alessioferrine profile image
alessioferrine

This is a very important topic, in the modern world we all need to think about digital security first.

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

Thank you ❤️
It's a really important thing 🤔

Collapse
 
atndesign profile image
Moulun Kevin

Really informative content, it helps me understand the core principles of authorization and authentication, thank you!

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

Thank you Kevin, my pleasure 🥰

Collapse
 
merc_opolo profile image
Merc Opolo

This is quite an interesting article. Auth is an important step to prevent security issues, thanks for the reminder.

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

Glad you liked it, take care of yourself ⚔️

Collapse
 
somnath_rangrej profile image
Somnath Rangrej

Thanks for sharing the article,

Even in web API testing using Postman, we indeed use the same concepts/types of Authorization and Authentication!

Collapse
 
mariamarsh profile image
Maria 🍦 Marshmallow

I'm glad to help, thank you for your interest!💖