After previous articles, we have understood what is client and server, how they use HTTP to talk to each other and defining data format to understand each other. Perhaps in our heads we will have a question: How does the server know which client we are talking to ? Today we will talk about Security Standards API Authentication)
Identity verification in the virtual world
Assuming you have registered an account at a website, the two indispensable information are username and password. This information is also known as “Credentials”. And the next time, to enter the website you need to show that “Passport”.
Logging in with a username and password is an example of a process called Authentication. When you prove Identity to a server, you provide information that only you and the server know. (Not counting the case of sharing each other’s fb accounts :v). Once the server knows who you are, it will trust you and allow you access to the information inside.
In the API, there are many techniques to handle this Authentication part. These are called Authentication schemes.
Basic API Authentication
The example just mentioned above is the most basic form of Authentication, the standard name is Basic Authentication, or abbreviated as “Basic Auth”. Basic Auth only requires username and password. The client enters the above two information and then sends them through the HTTP header to the server, this is called the authorization process – Authorization.
When the server receives a request, it looks at the Authorization header and compares that information with the Credential information they store in the DB. If true, the server will accept the client’s request and return the additional information requested by the client in the Body section. If not, the server will return a 401 code, signaling that the authentication failed and the request was denied.
Although Basic Auth is a frequently used technique, in practice it is not ideal to use the same username and password to access the API and manage the account. It’s like a hotel giving guests a bunch of keys to the whole hotel, not a key to a room.
API Key Authentication
API Key Authentication is a technique to help deal with the weakness of the Basic Auth model above. Instead of giving a whole bunch of keys to the customer, the hotel owner only gives the customer exactly 1 (Key) of their room key. The key is usually a long sequence of numbers and letters, which is unique and different from the password.
When the client authenticates with the API Key, the server knows to allow the client to access the data. Then where will the API Key be located on the request. Maybe we will think that this Key is probably in the same header as Basic Auth above but it’s where the programmer wants it because there’s no standard. It can be placed on the header, on the URL (http://example.com?api_key=my_secret_key), or on the Body. And no matter where you put them, they will have the same effect.
Thank you for reading.
To see more articles about API testing , please go this link