Why Do We Need Authorization and Authentication? 🔑

Maria 🍦 Marshmallow - Dec 30 '22 - - Dev Community

We live in an era where digital data is becoming an increasingly valuable asset, and with that comes the need for privacy and security. Authorization and authentication are two essential security measures that enable us to protect our data and ensure that only authorized individuals have access to it. In this article, we’ll discuss why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application.

What is Authorization and Authentication?

Authorization and authentication are two distinct concepts in computer security.

Authorization is the process of determining whether an individual has permission to access a system or resource. API authorization guarantees that client requests have secure access to data. This may entail verifying the identity of the request's originator and that they are authorised to view or alter the pertinent data. There are many different auth models available if you're constructing an API. If you're integrating a third-party API, the API provider will outline the necessary authorization.

Authentication involves verifying the identity of an individual or system to ensure that they are who they claim to be. Authorization and authentication work together to provide a secure environment for protecting data, ensuring that only authorized individuals can access it. A question occurs: How can servers identify who can access what they claim to be? Authentication is used as a stamp for clients to gain access to server resources through API.

Types of Authorization and Authentication

There are several types of authorization and authentication methods that can be used to protect data. The most common types are:

1. OAuth Access Token are used to authorize requests for limited access to a user’s data. The access token is issued to the user after they have authenticated with the service and is used to access protected resources. OAuth can be more complex to implement, but it provides a higher level of security and is widely supported by APIs.

2. API Key is a unique identifier that is used to authorize requests to an API. It is typically used to protect sensitive data and prevent unauthorized access. When performing API requests, a client must supply an API key as a token. The query string can contain the key.

3. HTTP Basic Authentication. This type of authentication is used to protect web applications and web services. It requires users to provide a username and password to access the application. It is simple to implement, but it is not very secure because the credentials are sent in plain text.

4. HMAC: Hash-based Message Authentication Code is a digital signature method made to reuse message digest algorithms like SHA-1 and MD5, as well as to offer a reliable data integrity protocol mechanism. HMAC has been chosen as a required security implementation for the internet protocol, or IP, since it is used to encrypt plain text securely in the Secure Socket Layer protocol and SSL certificate.

5. User Authentication. This is the most basic form of authentication, where users must provide a username and password to access a system or resource. This type of authentication is typically used to protect web applications, online accounts, and other sensitive data.

6. OAuth 1.0 and 2.0 is a way for a client application to access data from a third-party API, such as a service provider, on behalf of a user. This allows the user to grant the client application access to their data without having to share their login credentials, such as their username and password. To do this, the client application first needs to obtain an access token from the API. This access token is then used to authenticate future requests made by the client application to the API.

7. Authorization code grant type is used when the client application cannot securely store the client secret, or when the authorization code will be exchanged for an access token on a different device or system than the one that originally made the request.

8. AWS Signature is a way of authenticating requests made to Amazon Web Services (AWS) APIs. It is used to ensure that requests made to AWS APIs are authorized and authenticated and that the request can be traced back to the user who made it.

How Authorization and Authentication Work in the API Tester App

The API Tester mobile application is an easy-to-use free tool for testing and debugging APIs. It supports any type of API including REST, GraphQL, WebSocket, SOAP, JSON RPC, XML, HTTP, HTTPS. You can enter Auth details in the request setting tab. The data in the API that is required for Auth, can be in the header and body. The API tester can automatically detect and respond back with the chosen type of method. Variables and collections are used to determine Auth with safety and security.

API Tester mobile app provides a secure environment for testing APIs and includes several authentication methods to help protect sensitive data: User Authentication, OAuth Access Token, API Key, HTTP Basic Authentication.

How to Test Authentication and Authorization using API Tester App.

For the explanation of Authentication, let’s use the GitHub API to get users’ information. It provides us with real-time data.

First, you need to click on “Create new request” or the the + button in the top right corner to start a Graph QL request.

Image description

You can easily see the Graph QL option in the new tab under Other features. Clicking on it will take you to further options.

Image description

On the next screen, you can see an untitled GraphQL request. You need to provide the API URL and paste it into the section starting with HTTPS. In our case, this URL will be used: https://api.github.com/graphql.

Image description

The Github API requires authentication. In the Headers sections, you can see the OAuth option, so you need to provide the access token here.

Image description

Let me show you how to generate an Authentication token, just follow these steps:

1) Log in to your GitHub account and go to the "Settings" page.

Image description

2) On the "Settings" page, click on the "Developer Settings" tab.

Image description

3) Under the "Personal access tokens" section, click on generate new token (classic).

4) In the "Note" field, enter a name for your token (e.g., "My token"). This will help you remember what the token is for.

Image description

5) Select the scope(s) for your token. The scope determines what the token is allowed to access. You can select one or more of the available options, depending on your needs.
6) Click on the "Generate token" button to create the token.
7) Copy the token to your clipboard. It will not be shown again, so make sure to save it in a secure location.

Image description

That's it! You can now use the personal access token to authenticate with the GitHub API or to perform actions on your account using the command line. Keep in mind that personal access tokens are like passwords, so you should treat them with the same level of security.

Now we have to go to the Body section and specify a query to get your specific type of data. For example, let’s get the id information of a Github account. So, the corresponding Query using the Github login is written in the body tab, as you can see in the screenshot below.

{
  user(login:"mariamarshmallow")
  {
  login
  id
  }
}
Enter fullscreen mode Exit fullscreen mode

Image description

After the Authentication Github will send a 200 Response code that will have information about the user, username and id. The scope of the token you have given access to is known as Authorization.

Image description

Basic Authentication

Basic authentication is often used in conjunction with the HTTP protocol, which is the foundation of the World Wide Web. When a client makes a request to a server, the server sends back a response that includes a header field containing an authentication challenge. The client then sends a second request that includes a header field containing the user name and password, encoded in base64. The server checks the credentials and, if they are valid, sends back a response containing the requested resources.

To test basic authentication, let’s use the Postman API with this URL: https://postman-echo.com/basic-auth. This is an open API that uses “username” and “password”.
Open the API Tester app, create a new GET Request, and paste the URL above.

Image description

Next in the Auth section, enter the username and password of the API for authentication.

Image description

Once you click on the blue play button, you can see the response screen with the 200 response code “Authenticated”.

Image description

If you do not enter authentication details, on the response page a message appears with the response code of 401 “Restricted”.

Image description

This is how we can test API with basic Authentication using the API Tester mobile App.

API Key Authentication

It is a way for the server to recognize and authorize the client to access the API resources.

To use API key authentication, the client must send the API key in the request header or as a query parameter. The server will then validate the API key and, if it is valid, allow the client to access the API resources.

Sign up for an API key from the API provider. In your API request, add the API key as a query parameter or in the request header. Make the API request using the API Tester app. The server will validate the API key and, if it is valid, allow the client to access the API resources.

Here is an example of how to use API key authentication in a GET request using the API Tester app.

Create a new GET Request and enter the API URL in the request box (e.g., "https://api.thecatapi.com"). In the Query section, add the limit parameter and the API key parameter (e.g. "limit=10&api_key=YOUR_API_KEY").

Image description

Click the "Play" button to send the request. If the API key is valid, you will receive a response with the requested information.

Image description

It is important to keep your API key secret and secure, as it allows access to the API resources.
Make sure to use it only in trusted environments and do not share it with others.

Conclusion

Authorization and authentication are crucial security measures that allow us to protect our data and ensure that only authorized individuals have access to it. In this article, we discussed why we need authorization and authentication, the different types of authorization and authentication methods, and how they are applied in the API Tester mobile application. By implementing effective authorization and authentication measures, we can safeguard our data and prevent unauthorized access. It is important to regularly review and update our security measures to ensure that they remain effective and protect our data from potential threats.

Thanks for reading! I hope you found this article helpful. Feel free to leave any questions, comments, or suggestions.

Btw, you can support my work by buying me a coffee! I'll leave here a few links for you:)

Buy Me a Coffee at ko-fi.com

You can also support me on Coinbase

. . . . . . . . . . . . .