on 24-Jan-2023 08:00
API is a critical part of most of our modern applications. In this article we will walkthrough the different authentication types, to help us in the future articles covering NGINX Management Suite API Connectivity Manager authentication and NGINX Single Sign-on.
This separate article will cover the different authentication types and how they work with clients and servers.
It may sound a bit basic, but getting back to the basic concepts help us understand, innovate and develop more secure designs.
Authentication, is the act of validating that users are whom they claim to be.
Authorization, is the process of giving a user the permission access/ perform specific function.
Below, we will explore the different API authentication types,
HTTP Basic authentication, is a method for user agent (e.x Browser) to provide credentials to a web server. The request contains a specific header to provide base64 encoded credentials.
Credentials are already shared with the clients before clients can access the server using this method.
Example, Authorization: Basic <credentials>
An API key is a token that a client provides when making API calls. not to conflict this method with secure tokens generated via OAuth, in this type, the API keys are generated whether at the application or API key server, then those keys are distributed to the clients to be used for accessing the application.
API Key can be inserted in different location in the HTTP request,
Bearer Authentication can be considered an early step to token authentication mechanisms, it depends on initial users credentials to validate them and issue a time limited token for a specific service.
At first sight, the question might be why we are referencing authorization yet we are discussing authentication.
Let's check the basic definition, OAuth is an open standard for access delegation, commonly used for internet users (untrusted medium) to grant websites (resource server) access to user information at other websites (OAuth authorization server) without providing their passwords.
Performing Authentication via OAuth can be referred to as (Pseudo-authentication),and it's very similar to OIDC Authentication approach which will be discussed in the following section.
In the previous section, we explored the idea of OAuth token authentication, and using API gateway whenever it recieves a request it starts the redirection process to the Identity provider and receive the SAML insertion response back that verifies the user and then the user is allowed to access a protected resource.
In Token introspection, API gateway receives the token from the OAuth client and communicate with the Authorization server to query meta information regarding the presented token for example (If the token still active, the access privilege and the authorization context).
OpenID is an open standard for decentralized authentication, It allows authentication by (Relying sites) using third-party providers (Identity Providers) to eliminate the need for application owners to create their own login systems and allow the users to use different applications without passing their credentials over internet to different entities.
OIDC is built on top of OAuth2.0 framework, that explains the common parts we can see between both frameworks.
The main difference observed between OAuth vs OIDC can be explained in the following example,
In this article, we went through the common API Authentication types, the following articles will cover use cases for API authentication whether directly through NGINX Plus or API Connectivity Manager.