Blog

We specialize in Products, Application and Infrastructure security assessments and deep technical security training.

...
...

Authentication schemes in REST API

by Siddharth Bezalwar
09/10/2017

Authentication schemes in REST API

In this post we are going to discuss different authentication schemes which are generally used by web services (REST API) for authenticating a user/consumer. Before going forward lets have a quick look at what authentication means.

In simple terms, authentication means process of verifying the identity of a user. The process consist of simple steps,
1) User tries to connect to web services.
2) Web services asked user for credentials(Identity Information).
3) User provides credentials.
4)Web services verify the identity of the user by verifying provided credentials and responds accordingly.

For exchanging identity information “Authorization” HTTP header is used.

I hope you are comfortable with the process of authentication now, lets get started with the authentication schemes.

1) Basic Authentication:

The most simple way to implement authentication is to use basic authentication. In this scheme user identity information i.e. credentials are send in base64 encoded form. The base64 encoded string is obtained by performing encoding on the string :. The obtained base64 encoded value is send using “Authorization” HTTP header.

For example the credentials of user batman with password [email protected] will be send as follows:

GET /api/v1/gotham/ HTTP/1.1Host: payatu.comAuthorization: Basic YmF0bWFuOmJhdG1hbkAxMjM=

Security issue with this authentication scheme is that the username and password are encoded not encrypted which can be easily decoded. Due to this issue, the basic authentication scheme should not be implemented where the communication is taking place over HTTP (not HTTPS). It also has overhead of sending credentials with every subsequent request.

2)HMAC – Hash based Message Authentication

In this authenticaiton scheme instead of sending password in encoded form. The client send hash value of password with other information. The “other information” generally consist of HTTP verb, URL, timestamp, hash of a message body or a random number.It is good practice to use hash value of message body while constructing HMAC hash since it will ensure the integrity of the data being send.

For example if user “batman” is accessing the “gotham” resource then the possible HMAC calculation will be

hash_value = base64encode(hmac('sha256', 'password', 'GET+/api/v1/gotham'))
GET /api/v1/gotham/ HTTP/1.1Host: payatu.comAuthorization: hmac batman:hashvalue 

 

3) OAuth 2.0 (Bearer token scheme).

OAuth 2.0 is an authorization framework which enables third party API to get limited access to HTTP service on behalf of resource owner.

Following are the key roles in OAuth flow
a) Resource Server: Server hosting user-owned resources protected by OAuth.
b) Resource Owner: User of an app, has ability to grant access to their data on resource server.
c) Client: An app making API requests to access protected resources on
behalf of the resource owner and with its authorization.
d)Authorization server: The authorization server gets consent from the resource owner and issues access tokens to clients for accessing protected resources hosted by a resource server.

Now lets have a look at OAuth flow
1) App will ask for authorization to access resourced from user.
2) If user authorized the request, the app receives an authorization grant.
3) The app will request for access token by providing client credentials(identity information) along with the authorization grant to authorization server (API).
4) If app identity is authenticated and the authorization grant is successfully validated, the authorization server will issue an access token to the app.
5) The app requests for resource from the resource server and provides the access token for authentication.
6) On successful authentication the resource server serves the requested resource.

 

Like basic authentication , OAuth 2.0 also requires HTTPS connection.

Now you should have a good idea of the different authentication schems that are used in REST API authentication.

GET /api/v1/gotham/ HTTP/1.1Host: payatu.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0Accept: application/jsonAccept-Language: nullAccept-Encoding: gzip, deflateAuthorization: Bearer GjQcs9OiCb7tsuAVBbiYfP3SuypGKZContent-Type: application/jsonConnection: close

References:

https://en.wikipedia.org/wiki/Basic_access_authentication
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
https://tools.ietf.org/html/rfc6749
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

Image Source:

Token Stealing with Windows Update KB4054518

5-July-2019
Blogger
Siddhant Badhe

Introduction of Tcache bins in Heap management

13/03/2019
Blogger
Gaurav Nayak

6 Must have tools for your iOS pentesting toolkit

22/02/2019
Blogger
Akansha Kesharwani

Latest news See all news

23-Oct-2013
Luxembourg

We will be delivering a workshop on ARM Android Xploitation Primer at Hack.lu

22-May-2014
Moscow, Russia

We will be delivering a workshop on ARM Exploitation at PHDays

22-Sep-2014
Ghent, Belgium

We will be delivering 3 days training on ARM Android Exploitation at Brucon