API Design Security - II
Explore essential API security concepts including authentication and authorization mechanisms, from HTTP Basic and API keys to JWTs and OAuth 2.0 frameworks. Understand OpenID Connect, SAML, and cybersecurity models like Zero Trust and WAAP. This lesson helps you design secure APIs while balancing performance and protecting against evolving threats across public and private API scopes.
Authentication and authorization
API security hinges on two complementary mechanisms:
Authentication verifies who the user is, typically via credentials like usernames and passwords. APIs can also use additional techniques, which well explore below.
Authorization controls what an authenticated user can access. A user may be authorized to view a Google Doc but not edit it.
Consider a banking API: without authentication, an impostor could access another user's account. Without authorization, there would be no way to enforce that individual users and organizational accounts have different privilege levels, such as access to different functions or rate-limited API calls.
HTTP basic authentication
HTTP basic authentication is the simplest scheme: it encodes the client's username and password in Base64 and includes the result in the Authorization header. For a user "Bob" with the password "thefarmer," the header value follows a set template:
Authorization: Basic Qm9iOnRoZWZhcm1lcg==
Note: The
Authorizationrequest header represents the username and password asBob:thefarmer, encoded in Base64. TheBasickeyword before the encoded text signifies basic authentication.
The flow proceeds as follows:
The client sends a request to the server.
The server cannot authenticate the client, rejects the request, and returns a
WWW-Authenticateresponse header that prompts for credentials.The client resends the request with its Base64-encoded username and password in the
Authorizationheader.The server verifies the credentials and allows the request through.
What is the purpose of the realm keyword in the WWW-Authenticate header?
The advantages and disadvantages of HTTP basic authentication are as follows:
HTTP Basic Authentication Advantages and Disadvantages
Authentication Mechanism | Advantages | Disadvantages |
HTTP basic authentication |
|
|
Because of these drawbacks, HTTP Basic authentication has largely fallen out of use in APIs.
API keys
API keys address these shortcomings by replacing encoded credentials with a uniquely generated string that the API provider issues to each consumer or application. API keys identify the application, not the end user, so they require additional security measures for safe transmission and are typically used alongside other authentication mechanisms.
Note: API keys can't authenticate end users, only the application sending the request. For end-user authentication, they're typically used alongside other protocols.
Key-generation methods vary. Some APIs produce random strings with additional encoding and padding, while others increase the bit length to reduce predictability and expand the key space. The goal is always to generate unique, unguessable keys. Heres an example of what an API key might look like:
znri4QCgaBmYA4Sdsf45SEBPSrPQF7Ow7Uffd7
With API key authentication, the application includes its assigned key in a request header. The server looks up the key in its database to verify the application. An example of API key generation is shown below:
API keys offer several benefits over HTTP Basic authentication:
Applications can hold multiple keys per account.
Keys can be refreshed and regenerated easily.
Because the key is separate from the users credentials, a compromised key does not expose the users password.
Keys can be revoked immediately if compromised.
Keeping API keys secret is critical. If an attacker obtains one, the server cannot distinguish the attacker from the legitimate application.
Why is HTTP Basic authentication considered stateless, and what are the trade-offs related to system simplicity, security, and usability?
Use the AI assessment widget below to submit your solution and get an interactive response.
The advantages and disadvantages of API keys are as follows:
API Keys Advantages and Disadvantages
Authentication Mechanism | Advantages | Disadvantages |
API keys |
|
|
JSON Web Token (JWT)
An example of a decoded JWT header:
The header specifies the hashing algorithm (for example, HS256) and the token type (JWT). The payload contains claims about the user, such as the name, issuer, and expiration:
The signature verifies the token's legitimacy and message integrity. It is generated by signing the encoded header and payload, plus a secret (known only to the issuing entity), with the algorithm specified in the header. The recipient recalculates and compares the signatures to detect tampering.
An example of a signature representation:
Note: The header and payload are Base64-encoded and separated by a period (
.). The ...