API Security Basics

APIs are basically interfaces for clients that interact with the systems. Clients only know about the interfaces and nothing about their implementations. It is possible to have more than one implementation for a given interface; the clients written against the interface can switch between implementations seamlessly and painlessly.

APIs are common way to expose business functionalities to the rest of the world. APIs could be implemented under different layers and different protocols. In this article, with an API, I will refer mostly REST API which is mostly used nowadays. Especially working as a back-end developer, developing REST APIs is one of the our routines.

Now Lets have a look at API security concepts and in the second part, I will implement some of these concepts by using JAVA technologies.

When security comes out, firstly 3 main elements are considered which are confidentiality, integrity and availability.

Confidentiality

Confidentiality means protecting data from unwanted recipients. It could be achieved confidentiality by protecting transport channels and storage data with encryption. For APIs, where the transport channel is HTTP, can be in secure by using SSL. For storage, you can use disk-level encryption or application-level encryption.

Integrity

Integrity is a guarantee of data’s correctness and trustworthiness and the ability to detect any unauthorized modifications. It ensures that data is protected from unauthorized alteration, modification, or deletion.

Availability

For security it is also important to keep the system up and running. One of the aim of the security design is to make the system highly available by protecting it from illegal access attempts. For example against to DDOS attacks.

In order to achieve CIA, authentication, authorization, non repudiation concepts are applied.

Let’s look at definition of them briefly, and dig into implementation for APIs.

Authentication

Authentication is the process of recognizing a user’s identity. Answers who you are.

Authorization

Authorization is the process of validating what are your permissions.

Non-repudiation

Whenever you do a business transaction via an API by proving your identity, later you should not be able to reject it or repudiate it.

HTTP Basic Authentication

Authentication can be applied in different ways. First one is basic authentication.

In basic authentication, a web server can refuse a request, challenging the client for a valid username and password. The server returns a 401 status code instead of 200 and specifies the security realm being accessed with the WWW-Authenticate response header. You can see what kind of authentication is required by checking this header. By default browsers when get this response, they open a dialog box requesting the username and password. The username and password are sent back to the server by encoding base 64, (be careful! not encrypted since should not be used without SSL.) inside an Authorization request header.

HTTP Digest Authentication

It overcomes some limitations in basic authentication. Instead of sending password just encoded, it sends MD5 generated code and the server validate password by applying same MD5 algorithm and comparing two results.

Identity Delegation

These two authentication methods are old-fashion. Token based authentication methods became popular. Identity delegation is one of them.

In order to login an application, some third party common applications (mostly social media apps) can be used. It is basically something like login an e-commerce application by using Facebook account.

OAuth2

OAuth2 is a standard for API security for identity delegation. There are some roles in OAuth2 which are resource owner, client, authorization server, protected resource and access token.

Resource owner is the end user who acts. Client is the application that the end user wants to use. Authorization server is who handlers authorization. Protected resource is the resource that the client want to use. Access token is the token that the client will use it to react protected resources.

OAuth authenticates the application on behalf of the resource owner. When an end user want to use the client application, the client first redirects the user to the authorization server. The end user authorized the access rights to the client, the authorization server redirects the user back to the callback URL with a verification code. Then the client sends a request to the access-token endpoint of the authorization server with the verification code, to get the access token. Now, the client can access protected resources by using this access token.

Related posts:

Our ability to acquire, utilize, and disperse knowledge sets us apart from the rest of the creation. Limited solely to our physical abilities, we’re no match to the majority of the living world…