In this article of REST with Spring, we will have an overlook of the RESTful Authentication. We will talk about 4 different ways for the RESTful Authentication along with the pros and cons of each method.
REST API’s are becoming back bones of many modern enterprise applications. API are taking huge volumes of data with varying types (think of Netflix or Google REST API’s). It is very important to talk about the security, specifically to secure data. To put it in simple words, we like to have a mechanism in a place which should authenticate the client and server communication in the REST API. Lets quickly have a look at what is RESTful Authentication and what it is not.
1. Authentication Vs Authorization
While working on the security design may hear these words often. The two concepts are orthogonal and independent, but both are central to security design. A good understanding of both concepts will ensure a robust security for your REST API. Let’s see the basic difference between these two terms:
Authentication: It is the process to ensure that somebody really is who they claim to be. It is like checking your credentials/ ID.
Authorization: This process determines who may do what? It other words it check if you have the permissions to perform an action which you are requesting.
This gives you a high level of ideas about these two terms (It needs a separate post to talk about them). In this post we will only talk about different options for the RESTful Authentication.
2. RESTful API Authentication
Let’s talk about the common methods used for the RESTful Authentication. We will talk about these different approaches:
- HTTP Basic Authentication
- Cookies and Session
- OAuth 2.0 (Token in HTTP Header).
- API Keys
2.1. HTTP Basic Authentication
This is the most basic method for the REST API’s. It uses a special HTTP header where client add “username” and “password” encoded in base64. Here is a basis snapshot for this:
GET / HTTP/1.1 Host: www.javadevjournal.com Authorization: Basic YWRtaW46bmltYQ==
This is the easiest implementation and default with modern browsers and well REST clients. Let’s see JTTP basic authentication workflow:
This seems to be easy, however this approach has several limitations or drawbacks:
- Base 64 encode is not the strongest one. I transmit the user-name and password (over HTTPS) into the Server.
- Need to send the user-name and password on every request.
- Easy for the Man-in-the-middle attack.
[pullquote align=”normal”]I do not recommend this for the enterprise REST API’s. May be useful in internal network validations [/pullquote]
2.2. Session using Cookies
The cookies can be useful for the RESTful Authentication during the client and server communication. This approach is like the HTTP basic authentication with client information sent to the REST API on each request. There is one difference in this approach
- It handles the cookie on the Server side.
The client sends the cookies back to the REST API on every request.We will use the session and cookies as highlighted below:
- REST API session maps a key to user id.
- It counts key as valid if session exists.
- Authentication happens by sending the key as a cookie at every request and checking whether the session exists and is valid.
This approach violates the basic principle of RESTful API by session management on server side. Our API is not Stateless when we use session on the server side.
OAuth is becoming a standard for the REST API security. It is an open protocol to allow secure the authorization in a simple and standard method from web, mobile and desktop applications.There are two variations of this framework.
- OAuth 1.0
- OAuth 2.0
I will not talk about the difference between the two as there are several resources with all the details. OAuth 2.0 supersedes the work done on the original protocol.The new protocol simplifies several workflow introduced in the original protocol.
OAuth put the token in the HTTP header for the RESTful Authentication. This is how the request looks like:
GET /resource/1 HTTP/1.1 Host: javadevjournal.com Authorization: Bearer uM_xxx-xxxxxxxxx
Keep in mind It is for both authentication and authorization.
This is how the entire OAuth works for the RESTful Authentication.
- User logs to system. The system request authentication in the form of a token.
- Handles authentication by authorization server.
- User/ REST API get token on successful authentication.
- Rest of the communication happens using access token.
There are several benefits of using this framework for your REST API security:
- It is more secure and flexible system for Authentication and Authorization.
- Allows to control the data handling using different scope.
- Cross system authentication capability.
It is not Stateless since it relies on the HTTP transmission details.
2.4. API Keys
This was the most common methods during the initial phase. Some API’s still use this for authentication.Here is a high level workflow for this approach:
- Developer login to the service and get the API keys.
- For all request, client pass the API key as part of the request.
- API validate the key and allow the service if the key is valid.
This is how the key passed as part of the request header:
Authorization: Apikey 8723745abcdef
One of the major benefits of this approach is the simplicity. Get the API key and you have all the tools to access the API. There are several problems with this method:
- API keys provides full access to the API. There is no scope as highlighted in OAuth section.
- Wrong use of the API key can remove out all the data.
3. Best Option
There are several methods for the RESTful Authentication. It depends upon the use case to identify the best approach for the authentication. Our recommendation is to use the OAuth framework which is a powerful, flexible and provides both authorization and authentication.In case you are working on internal application and do not want to set up the entire workflow, probably HTTP basic authentication may work for you.
In this article, we talk about the different methods for the RESTful Authentication. We see at each method with its pros and cons.In this next articles we will take a deeper look at each of these methods. We will implement these authentication methods using Spring Boot tutorials.