In this post we are going to discuss different authentication schemes which are generally used by web services (REST API) for authenticating a user/consumer. Before going forward lets have a quick look at what authentication means.
In simple terms, authentication means process of verifying the identity of a user. The process consist of simple steps,
1) User tries to connect to web services.
2) Web services asked user for credentials(Identity Information).
3) User provides credentials.
4)Web services verify the identity of the user by verifying provided credentials and responds accordingly.
For exchanging identity information “Authorization” HTTP header is used.
I hope you are comfortable with the process of authentication now, lets get started with the authentication schemes.
1) Basic Authentication:
The most simple way to implement authentication is to use basic authentication. In this scheme user identity information i.e. credentials are send in base64 encoded form. The base64 encoded string is obtained by performing encoding on the string :. The obtained base64 encoded value is send using “Authorization” HTTP header.
For example the credentials of user batman with password [email protected] will be send as follows:
GET /api/v1/gotham/ HTTP/1.1
Host: payatu.com
Authorization: Basic YmF0bWFuOmJhdG1hbkAxMjM=
Security issue with this authentication scheme is that the username and password are encoded not encrypted which can be easily decoded. Due to this issue, the basic authentication scheme should not be implemented where the communication is taking place over HTTP (not HTTPS). It also has overhead of sending credentials with every subsequent request.
2)HMAC – Hash based Message Authentication
In this authenticaiton scheme instead of sending password in encoded form. The client send hash value of password with other information. The “other information” generally consist of HTTP verb, URL, timestamp, hash of a message body or a random number.It is good practice to use hash value of message body while constructing HMAC hash since it will ensure the integrity of the data being send.
For example if user “batman” is accessing the “gotham” resource then the possible HMAC calculation will be
hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham'))
GET /api/v1/gotham/ HTTP/1.1
Host: payatu.com
Authorization: hmac batman:hashvalue
3) OAuth 2.0 (Bearer token scheme).
OAuth 2.0 is an authorization framework which enables third party API to get limited access to HTTP service on behalf of resource owner.
Following are the key roles in OAuth flow
a) Resource Server: Server hosting user-owned resources protected by OAuth.
b) Resource Owner: User of an app, has ability to grant access to their data on resource server.
c) Client: An app making API requests to access protected resources on
behalf of the resource owner and with its authorization.
d)Authorization server: The authorization server gets consent from the resource owner and issues access tokens to clients for accessing protected resources hosted by a resource server.
Now lets have a look at OAuth flow
1) App will ask for authorization to access resourced from user.
2) If user authorized the request, the app receives an authorization grant.
3) The app will request for access token by providing client credentials(identity information) along with the authorization grant to authorization server (API).
4) If app identity is authenticated and the authorization grant is successfully validated, the authorization server will issue an access token to the app.
5) The app requests for resource from the resource server and provides the access token for authentication.
6) On successful authentication the resource server serves the requested resource.
Like basic authentication , OAuth 2.0 also requires HTTPS connection.
Now you should have a good idea of the different authentication schems that are used in REST API authentication.
GET /api/v1/gotham/ HTTP/1.1
Host: payatu.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json
Accept-Language: null
Accept-Encoding: gzip, deflate
Authorization: Bearer GjQcs9OiCb7tsuAVBbiYfP3SuypGKZ
Content-Type: application/json
Connection: close
References:
https://en.wikipedia.org/wiki/Basic_access_authentication
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
https://tools.ietf.org/html/rfc6749
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
Image Source:
https://assets.digitalocean.com/articles/oauth/abstract_flow.png
