In this article, we will discuss API authentication methods. Before that, you have to understand the meaning of the word Authentication. Later on, you will get a detailed description of different API authentication methods. Before understanding the meaning of authentication more important thing is you should be aware of what isn’t authentication. There is one another term authorization you should be aware of. One thing that is crucial to keep in mind that you can’t rely on the only single authentication method. So that is why there is a need for a variety of API authentication methods. So without wasting time let’s come to the point.
In simple words, Authentication is a process that checks or verifies the identity of a user who tries to access any network, system, or device. Some access control mechanisms usually verify the username and password to get the identity of the user. For example, to access your email you have to provide credentials such as username and password to log in. If the credentials are correct you are allowing the website to know who are you and it is your identity that is accessing the website. Some other examples are four or six-digit passcode for mobile unlocking, login password for your computer. Now day’s biometrics is used for smart phones. Whereas Authorization is a process that determines the rights associated with a particular identity, which means what a user can do.
According to you why we require authentication. What do you think about it? Let me help you to understand. Say you have access to some important information and others shouldn’t have to know about it because such a situation can lead to harm to you. So the kind of way that doesn’t allows unauthorized people to access your sensitive information is authentication and we want it. Authentication is very important in today's scenarios because nowadays there is a lot of increase in cybercrime. When authentication isn’t secure then the hacker mainly tries to get system access and steal sensitive information. There are few examples of cybercrimes like Equifax, Adobe, and Yahoo data breach due to poor authentication.
Due to increased cyber attacks, different types of authentication methods have been developed. Let’s have a look at them.
So till now, you have gained knowledge about what is Authentication and why it is important. Now the next question arises what is an API. API is a software protocol and you can say it is a tool using which clients and servers communicate. But how the server will come to know that the client is a real one. API Authentication is a process that certifies user identity who tries to access server resources. In simple words, you can say API is a way to request data or receive data from an endpoint. API authentication protects malicious data submission and acts as a security layer.
We are having numerous API authentication methods. Few of them are mentioned here and discussed in detail as follows:
HTTP Basic Authentication API Key Authentication OAuth Authentication OAuth 1.0 OAuth 2.0 Bearer Authentication OpenID Connect LDAP Authentication Advanced Digest Authentication Hawk Authentication AWS Signature NTLM Authentication Akamai EdgeGrid
Let me introduce each of these API Authentication
It is simpler Authentication but you can’t give your password to someone else.The technique used for this method makes use of Base64 encoding. The username and password are combined to form a value. The HTTP header Authorization is used to pass the single value formed from username and password. Whenever a user makes a request the server on checking the Authorization header makes a comparison of it with credentials stored at its system. The client request is fulfilled if the credentials and header details match. On the other hand, if there is a mismatch in credentials and header details then a request denied message is sent and authentication is failed. You can say this Authentication is used for checking Proxy-Authorization. In other words, you can consider this authentication such as you just have to send a username and password for the API call. For instance, Mailchimp and Twilio use Basic Authentication. This method is used by HTTP and HTTPS requests. Such a method is used for web applications to apply for protection over them using single password protection. This method can’t be used without SSL but can combine with other security methods.
The key Authentication method makes use of an API key to provide access to a particular service and routine. This method was introduced to overcome the shortcomings of HTTP basic authentication as the credentials were shared. In this method, you can make use of an API key that consists of a series of letters and numbers. You have to combine the request header or request a URL with the API key. To gain access to data users make use of the API key and the server checks the identity of the user. The public key and private key can be used according to need. Public keys lemmatize the number of users to access a particular function and private keys work like a password. This method is highly secure and reliable as a unique key is used. Stripe and Sendgrid make use of API keys. It is used by both HTTP and HTTPS protocols. In case when initial authentication fails down this method provides limited access also.
For more security you have to follow some important points as follows:
Key: This is the name of the key which API uses as an identifier in the parameters. Most of the API uses
token as the key
Value: This contains the unique generated for your users.
Both of the input variables can be passed either in the header or as a query parameter depending on the API that you’re using.
This method makes use of authentication and authorization together. It came into existence in 2007. It allows applications to communicate with the API server to gain access. In this method, token-based authentication is requested. The client sends its request to the authentication server to process it. This approach is very secure and powerful as compared to others. It is used by various clients and applications. This method makes use of time-limited tokens. It is compatible with HTTPS protocol. In this method, you just have to press the sign-in button to grant permission and quickly the app authenticates the user request. This method provides you the best user experience. Google, Facebook, and Twitter use this method. The idea behind using OAuth is that the end-user needs not to share its credentials with anyone.
It is revised to OAuth1.0A. It is also known as the Digest Authentications Scheme. It is completely secured, tested, and very popular authentication. This method is based on signatures and makes use of the cryptographic signature. The signature used in this method is a combination of token secret, nonce, and information requested by the user. You can use this method with or without SSL. This version is more complicated as compared to OAuth2.0.
Signature Methods: OAuth1.0 different signature methods like HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, and PLAINTEXT.
Consumer Key: It is a value used by the Consumer to identify itself to the service provider.
Consumer Secret: This is a secret value used by the Consumer to establish ownership of the Consumer Key
Access Token: This is a unique value defined for a period of time to authenticate the user.
Token Secret: Similar to Consumer Secret this is a value used to establish the ownership of the Access Token
Private Key: This is a RSA key in PEM format used for signing the request.
Callback URL: This is a URL where the user will be redirected after the authentication is done.
Verifier: This is a verification code given by the service provider after the authorization.
Nounce: This is a random string generated by the API consumer.
It provides 4 types of grants. In this technique, you needn't make use of keyed hash for making each call. It makes use of two tokens that access token and refresh token. This method is best in case of identifying a personal user and grants him any access. This authentication method allows the third party to gain limited access to an HTTP service. This method is more secure as it makes use of a token that is revoked after some time. This is more powerful authentication as attackers aren’t able to use the same token again. Try to make use of this method with flows enabled so that it can support server to server and device authentication. This method works with four flows which are authentication code flow, implicit flow, resource owner password flow, and client credentials flow.
Callback URL: This is a URL where the user will be redirected after the authentication is done.
Auth URL: This is the endpoint for the authorization server. This is used to get the authorization code.
Access Token URL: The endpoint for the authentication server. This is used to exchange authorization code for access tokens.
Client ID: It is a unique value used by the Client to identify itself during the application registration process.
Client Secret: This is a secret value issued to the client during registration.
Scope: The scope of the access request like read, write etc.
State: It is a unique value used to prevent cross-site forgery.
In this method, you can make use of security tokens called bearer. This method is also known as Token Authentication which makes use of HTTP authentication. The token used in this technique is a cryptic string which allows the user to access particular resources and URLs. The bearer token is provided by the server when then the user requests a login. To request protected resources, the client sends the token to the authorization header. It is used only by HTTPS protocols. In RFC-6750 this authentication was generated as part of it.
Token: This is a unique token generated by the API server for the consumer.
It is a plug-in that is available for many customers and gives support to various credentials like:
This method acts as a relying party and proxy for OAuth 2.0 resource users. It acts as an identity layer on the top of OAuth2.0. This method verifies the identity based on authentication of the authorization server. It is used to verify end-user identity based on authentication which makes use of a JSON web token called ID token. The authorization server also reveals the profile information of the end-user. This authentication makes use of JSON to specify a RESTful HTTP API. You can make use of this method to get information about the authenticated session.
JWT is used in this method having the following features:
JWT: This is a unique token generated by the server, the consumer needs to pass this token with every request.
This authentication method is provided by Kong Enterprise that enables LDAP bind authentication. This method enables service, route, or previous versions of Kong. It acts as a global plug-in and runs after receiving a request. This technique provides limited access to an anonymous user when authentication fails.
DN: This is a unique string assigned to a client to identify them uniquely. Password: This is the password which is required when authenticating.
In this method, the client requests API. The server in the response of request provides nonce, a realm value, and a 401 unauthorized response. After that, the user sends back an encrypted data array containing the username, password, and server response data. The server compares the user request with an encrypted string made from data send by the user. This method is used by web servers to negotiate credentials. Such type of method is useful in cases where there is a need to confirm user identity before sharing sensitive information with him.
It is used by various online banking systems. A hash function is applied to username and password. It uses HTTP protocol and reversible Base64 encoding. This method was developed by Phillip Hallam, a banker at CERN in 1993. This scheme uses MD5 cryptographic hashing and nonce to protect the user from a replay attack. In this method, the server isn’t provided a clear password. This method reduces the chances of Phishing. Digest authentication can be attacked through man in the middle attack. This scheme uses a less strong password hash.
Realm: This is a string specified by the server in
WWW-Authenticate response header. It should contain at least the name of the host performing the authentication and might also indicate the users who have the access.
Algorithm: It supports different algorithms like MD5, MD5-sess, SHA-256, SHA-512, SHA-512-sess, SHA-512-256, SHA-512-256-sess.
qop: It indicated the quality of protection applied to the message.
Client Nonce: This is an opaque string provided by client to be used by both client and server to avoid plaintext attacks.
This method makes use of partial HTTP request cryptographic verification, request URI, and host. You have to enter Hawk Auth ID, Auth key, and algorithm fields. In this method, the MAC (message authentication code) algorithm is used to make an HTTP request. It makes use of user credentials including the identifier and key to be used in the MAC algorithm. To apply the hawk scheme you need to provide a shared symmetric key to the client and server. The shared credentials are provided through a TLS protected phase. This method is used to improve basic HTTP authentication.
Hawk authentication is used to secure the credentials and avoids its exposure to a malicious server. To provide secure communication this method makes use of timestamps. The client needs a token id and key from the server to sign the requests. Hawk authentication can be used in pyramid application and node.js express apps. The real-time use example of hawk authentication is in Mozilla services. This method is compatible with drupal8. Its first version was provided by Eran Hammer in November 2012.
Hawk Auth ID: It is similar to Client ID in OAuth, it is a unique value assigned to API consumers.
Hawk Auth Key: Similar to API Key generated using algorithms for the consumers.
Algorithms: It supports multiple algorithms like Sha256 and SHA1.
This authentication is used in Amazon web Services. It makes use of a custom HTTP scheme which is based on keyed-HMAC for authentication purposes. Other parameters followed in this method are the AWS region, service name, and session token.
AWS signature authentication allows:
In this method, authentication information can be provided by either an HTTP authorization header or using query string parameters. First of all, you have to send an authentication request including signature. In AWS authentication you needn't to use a secret access key to sign any request. Instead of using its secret access key, this method makes use of a secret access key to create a signing key. The signing key remains under a specific domain and never gets expired. On receiving an authentication request, the Amazon server recreates the signature. The request is accepted if both signs are matched, otherwise the request is rejected.
Access Key: This is the key generated from the AWS console.
Secret Key: This is the secret generated from the AWS console.
It is an authorization flow used in the windows operating system and for standalone applications. This method is also known as Windows challenge/Response. Few other advanced parameters to be used for this authentication are domain and workstation. It is used for logon authentication and makes use of domain name, user name, and a hash of the user’s password. In this scheme, you needn't to send a user password for authentication purposes.
NLTM authentication uses two systems as follows:
In the case of non-interactive authentication, you only need the client, server, and domain controller. In this method, the user provides some information to the client computer like domain name, password, and user name. In return, the client computer generates the cryptographic hash. The client sends a username in the form of plain text to the server. The server creates a nonce and sends it back to the client. New secured NTLMv2 is introduced which protects brute-force and replay attacks. This method is used by windows NT4.0 OS as the default network authentication protocol. This authentication protocol is created by Microsoft and initially was a proprietary protocol. It is used as an SSO (single sign-on) process that uses MD4 for password encryption.
This is used as an authorization helper which is developed by Akamai. To use this method you have to enter the access token, client token, and client secret. You need to make a proper authentication request to use this method.
Access Token: This is the token generated by the server which defines the privileges of a user.
Client Token: It is a unique value used by the Client to identify itself during the application registration process.
Client Secret: This is a secret value issued to the client during registration.
This is known as hash based message authentication. In this method an authentication code is generated with the combination of secret key and hashing function. The authentication method is used for checking the message authenticity and integrity. The method is used mostly by Amazon Web Services. This method uses two important things as first is secret key and second is key identifier. The authentication method signs the whole request which can have MD5. To use this method you needn't use SSL. The method is similar to digital signatures.
X-CT-Authorization: This is a combination of Public Key and Signature appended after
Here in this article, we have shared many API authentication methods with you. Do try to find which method is most suitable for you? There was a survey of more than 100 APIs and it was discovered the most widely used method is OAuth 2.0. Basic authentication is also a good choice but it is more vulnerable to attacks because it doesn’t make use of any encryption. In some cases users also make use of OpenID connect that is OAuth2.0 based. The popularity of Oauth2.0 is due to the reasons that it is easy to use and provides scalable security by making use of RSA encryption. The implementation cost is even also low.