In this article of REST with Spring, we will have an overlook of the RESTful Authentication. We will talk about 4 different ways for the RESTful Authentication along with the pros and cons of each method.
REST API’s are becoming back bones of many modern enterprise applications. API are taking huge volumes of data with varying types (think of Netflix or Google REST API’s). It is very important to talk about the security, specifically to secure data. To put it in simple words, we like to have a mechanism in a place which should authenticate the client and server communication in the REST API. Lets quickly have a look at what is RESTful Authentication and what it is not.
While working on the security design may hear these words often. The two concepts are orthogonal and independent, but both are central to security design. A good understanding of both concepts will ensure a robust security for your REST API. Let’s see the basic difference between these two terms:
Authentication: It is the process to ensure that somebody really is who they claim to be. It is like checking your credentials/ ID.
Authorization: This process determines who may do what? It other words it check if you have the permissions to perform an action which you are requesting.
This gives you a high level of ideas about these two terms (It needs a separate post to talk about them). In this post we will only talk about different options for the RESTful Authentication.
Let’s talk about the common methods used for the RESTful Authentication. We will talk about these different approaches:
This is the most basic method for the REST API’s. It uses a special HTTP header where client add “username” and “password” encoded in base64. Here is a basis snapshot for this:
GET / HTTP/1.1 Host: www.javadevjournal.com Authorization: Basic YWRtaW46bmltYQ==
This is the easiest implementation and default with modern browsers and well REST clients. Let’s see JTTP basic authentication workflow:
This seems to be easy, however this approach has several limitations or drawbacks:
I do not recommend this for the enterprise REST API’s. May be useful in internal network validations
The cookies can be useful for the RESTful Authentication during the client and server communication. This approach is like the HTTP basic authentication with client information sent to the REST API on each request. There is one difference in this approach
The client sends the cookies back to the REST API on every request.We will use the session and cookies as highlighted below:
This approach violates the basic principle of RESTful API by session management on server side. Our API is not Stateless when we use session on the server side.
OAuth is becoming a standard for the REST API security. It is an open protocol to allow secure the authorization in a simple and standard method from web, mobile and desktop applications.There are two variations of this framework.
I will not talk about the difference between the two as there are several resources with all the details. OAuth 2.0 supersedes the work done on the original protocol.The new protocol simplifies several workflow introduced in the original protocol.
OAuth put the token in the HTTP header for the RESTful Authentication. This is how the request looks like:
GET /resource/1 HTTP/1.1 Host: javadevjournal.com Authorization: Bearer uM_xxx-xxxxxxxxx
Keep in mind It is for both authentication and authorization.
This is how the entire OAuth works for the RESTful Authentication.
There are several benefits of using this framework for your REST API security:
It is not Stateless since it relies on the HTTP transmission details.
This was the most common methods during the initial phase. Some API’s still use this for authentication.Here is a high level workflow for this approach:
This is how the key passed as part of the request header:
Authorization: Apikey 8723745abcdef
One of the major benefits of this approach is the simplicity. Get the API key and you have all the tools to access the API. There are several problems with this method:
There are several methods for the RESTful Authentication. It depends upon the use case to identify the best approach for the authentication. Our recommendation is to use the OAuth framework which is a powerful, flexible and provides both authorization and authentication.In case you are working on internal application and do not want to set up the entire workflow, probably HTTP basic authentication may work for you.
In this article, we talk about the different methods for the RESTful Authentication. We see at each method with its pros and cons.In this next articles we will take a deeper look at each of these methods. We will implement these authentication methods using Spring Boot tutorials.
Hello!! I am Umesh- an engineer by profession and a photographer by passion.I like to build stuff on the web using OSS and love to capture the world through my lens.