View Categories

Authentication and Authorization

Authentication and Authorization

Authentication vs. Authorization #

Authentication and Authorization are two fundamental concepts in API security. While they are related, they serve different purposes in the process of controlling access to resources.

  1. Authentication: This is the process of verifying the identity of a user or system. In API testing, it ensures that the client (who is making the request) is who they claim to be.
  2. Authorization: This is the process of verifying whether the authenticated user has permission to perform a specific action or access a particular resource.

Example Scenario #

Let’s consider a simple example of an online library API:

  • The API has resources such as books, users, and borrowing history.
  • Certain actions, like viewing all books, might be available to all users, while others, like borrowing a book, might be restricted to authenticated users.
  • Additionally, only users with specific roles (e.g., librarians) can add or remove books from the library.

1. Authentication Example #

Suppose the API uses Token-Based Authentication (e.g., JWT – JSON Web Tokens).

Steps: #

  • The user logs in by sending their credentials (e.g., username and password) to the API’s /login endpoint.
  • The API validates the credentials and, if valid, returns a JWT token.
  • The user includes this token in the Authorization header of subsequent API requests.

Request Example: #

POST /login HTTP/1.1

Host: api.library.com

Content-Type: application/json
{

  "username": "john_doe",

  "password": "password123"

}

Response: #

HTTP/1.1 200 OK

Content-Type: application/json

{

  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

}

For further requests, the token is included like this:

GET /books HTTP/1.1

Host: api.library.com

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…

2. Authorization Example #

Now that the user is authenticated, we need to check if they have the right permissions (authorization) to perform certain actions.

Example: Borrowing a Book #

  • Only authenticated users can borrow books. Additionally, a user might be allowed to borrow only a certain number of books at a time.

Request Example: #

POST /borrow-book HTTP/1.1

Host: api.library.com

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Content-Type: application/json
{

  "book_id": "12345"

}

Possible Responses:

1.  Success:

HTTP/1.1 200 OK

Content-Type: application/json
{

  "message": "Book borrowed successfully"

}

2.  Unauthorized (No token or invalid token):

HTTP/1.1 401 Unauthorized

Content-Type: application/json

{

  "error": "Invalid or missing token"

}

2.  Unauthorized (No token or invalid token):


HTTP/1.1 401 Unauthorized

Content-Type: application/json

{

  "error": "Invalid or missing token"

}

3.  Forbidden (User has already borrowed maximum allowed books):

HTTP/1.1 403 Forbidden

Content-Type: application/json
{

  "error": "You have reached your borrowing limit"

}

Testing Authentication and Authorization #

When testing APIs:

Authentication Tests:

  • Ensure that requests without a token or with an invalid token are rejected.
  • Test the login endpoint with valid and invalid credentials.

Authorization Tests:

  • Ensure that users without the required permissions are blocked from performing restricted actions.
  • Test access control by checking that users can only access resources they’re authorized to.

Summary #

  • Authentication is about verifying identity (e.g., using a username and password).
  • Authorization is about verifying permissions (e.g., whether the authenticated user can borrow a book).

Both are crucial in ensuring the security and proper functioning of an API.

API Testing
What are your Feelings