Pugaczewsk CenturyLink May 17 2019 Basic Authentication Basic Authentication is similar to the standard usernamepassword approach where we use an username and password to authenticate the API Here a Base64 encoded string that contains the username and password sent to the client Base64 ID: 1028735
Download Presentation The PPT/PDF document "API Security Mechanisms Compiled by: Jac..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. API Security MechanismsCompiled by: Jack Pugaczewsk, CenturyLinkMay 17, 2019
2. Basic AuthenticationBasic Authentication is similar to the standard username/password approach, where we use an username and password to authenticate the API. Here, a Base64 encoded string that contains the username and password sent to the client. Base-64 encoding is not an encryption method, just a way of taking binary data and turning it into text so that it’s could be easily transmitted.Pros:Implementation is pretty simple, as there is no encryption involvedTake relatively less time to respond as it has only one callThe lack of token creation and encryption method gives Client an advantage of using less code to call the APIThe information is retrieved from the server with just one call, making it faster than other complex authenticationsCons:SSL takes time to run basic HTTP, so this will make the response time considerably slowThe lack of encryption makes the security risk fairly high
3. Digest AuthenticationDigest Authentication is similar to the basic authentication with slight improvements on the authentication part. This method uses the hash function encryption method to encrypt the username and password.Pros:Secure without SSL when compared with Basic Auth without SSL due to the process of encryption.As usernames and passwords are encrypted, the chance of cracking it is considerably less.Cons:Client must make two calls to get the output response, so it is a bit slower than HTTP Basic AuthenticationPassword stored in the user DB is not strongly encrypted so there are chances that the data may be hacked
4. BearerAlso called token authentication is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources: Authorization: Bearer <token>The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750, but is sometimes also used on its own. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
5. API KeySome APIs use API keys for authorization. An API key is a token that a client provides when making API calls. The key can be sent in the query string: GET /something?api_key=abcdef12345 or as a request header: GET /something HTTP/1.1 X-API-Key: abcdef12345or as a cookie: GET /something HTTP/1.1 Cookie: X-API-KEY=abcdef12345API keys are supposed to be a secret that only the client and server know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL.
6. Open IDOpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.Pros:You can offload the authentication of a user to an OpenID provider such as Yahoo! or Google. Using this method, you can take advantage of the provider’s large membership and security systems to log your users in to your site.You will not need to store user login credentials in your own database systems; rather, you simply map the OpenID user on the provider site with whatever information your application or site stores about that user.The straight OpenID approach is more lightweight than the hybrid auth implementation.Cons:OpenID is simply an authentication service for verifying a user account state, not an authorization system like OAuth, which allows an application or service to perform actions on the user’s behalf once authorized. What this means is that a simple OpenID integration will not be able to make signed requests to the provider site to get, set, or delete a user’s social information.
7. OAuth2.0OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.Pros:More flexible as it could handles non-web clients as wellEasy for developers to implement the codeRefresh Tokens Concept has been addedCons:In case an SSL / TLS connection is not implemented an MITM Attack may occur
8. Referenceshttps://habiletechnologies.com/blog/pros-cons-using-authentication/https://openid.net/connect/https://www.google.com/search?hl=en&source=hp&ei=iqPeXO3NK5LytAWszrnoCg&q=OAuth2.0+defined&oq=OAuth2.0+defined&gs_l=psy-ab.12...1512.7697..8002...0.0..0.230.2776.1j16j2....2..0....1..gws-wiz.....0..0i131j0j0i10j0i13j0i8i13i30j0i22i30.rfCczBpScz0https://www.oreilly.com/library/view/programming-social-applications/9781449302481/ch12s02s02.htmlhttps://swagger.io/docs/specification/authentication/api-keys/