Within the domain of API automation, safeguarding communication channels against unauthorised access is of great importance. This safeguarding is accomplished through the use of authentication and authorization. These concepts form the bedrock upon which secure API interactions are built.
In this blog, we’ll embark on a journey to understand authentication and authorization, and further explore their seamless implementation using Rest Assured. Rest Assured streamlines the automation of authentication processes within API testing. Whether it’s sending Basic Authentication headers, handling OAuth2 token exchange, or incorporating API keys, Rest Assured simplifies the inclusion of these authentication mechanisms into your test scripts. By integrating authentication into your automated tests, you ensure that your APIs’ security is not compromised during the testing process.
We will take examples of code using Rest Assured as it is the most used API automation library in the QA world.
Authentication vs. Authorization: Understanding the Basics
Authentication means verifying the identity of a user or application attempting to access an API. It basically tries to answer the question, “Who are you?” .
Common authentication methods include Basic Auth, Digest Auth, OAUTH, API keys, Bearer tokens, and more. Proper authentication ensures that only legitimate users gain entry.
Authorization usually happens after authentication and is the process of granting or denying access based on a user’s or application’s permissions. It basically answers the question, “What are you allowed to do?”.
Authorization prevents unauthorised users from accessing sensitive data or performing restricted actions. For instance, attempting to access administrative data using regular user credentials would result in an unauthorised status.
HTTP Status Codes 401 and 403
When dealing with authentication and authorization, you’ll often encounter two HTTP status codes: 401 Unauthorised and 403 Forbidden.
- 401 Unauthorised: This code signifies that the client lacks valid authentication credentials. In other words, the client needs to provide valid credentials to proceed.
- 403 Forbidden: The 403 code indicates that the client’s authentication credentials are valid, but they don’t have the necessary permissions to access the requested resource. It’s a firm denial of access.
Different Authentication Methods in Rest Assured
In the realm of API automation with Rest Assured, the variety of authentication methods available to you ensures that you can precisely simulate diverse security scenarios. One pivotal distinction lies in understanding OAuth vs. OAuth2 – two authorization protocols that have transformed how applications access resources on behalf of users.
1. Basic Authentication:
Basic Authentication, a straightforward method employed in web apps and APIs, entails sending credentials (username and password) with every request to validate the requester’s identity. This approach, widely supported and easy to implement, is often used to secure resources. It’s preferred when simplicity and efficiency are paramount.
Response resp = given() .auth() .basic(“username”, “password”) .when().get(“https://api.example.com/resource”); |
Through .auth().basic(“username”, “password”), Rest Assured configures the request with your credentials.
2. Pre-emptive Authentication
Pre-emptive Authentication is an authentication strategy employed in HTTP clients to proactively send authentication credentials with the initial request, rather than waiting for the server to respond with a 401 Unauthorized status code.
In the context of Rest Assured and other HTTP client libraries, pre-emptive authentication means sending authentication credentials in the very first request, even before receiving any response from the server. This can be especially useful when dealing with APIs that require authentication for every request and do not challenge with a 401 status code.
Response resp1 = given() .auth() .preemptive().basic(“username”, “password”) .when().get(“https://api.example.com/resource”); |
By using .preemptive() before .basic(), Rest Assured takes the initiative in including the credentials.
3. Digest Authentication
Digest Authentication is an authentication mechanism used in HTTP to enhance the security of Basic Authentication. It addresses some of the security vulnerabilities present in Basic Authentication, such as the transmission of credentials in plain text, by using a more secure approach. Digest Authentication challenges the client with a server-generated nonce (a unique token) and requires the client to respond with a hashed value of the nonce, username, password, and other request-specific information.
Response resp2 = given() .auth() .digest(“username”, “password”) .when().get(“https://api.example.com/resource”); |
Through .digest(“username”, “password”), Digest Authentication is configured.
4. OAuth2 Authentication:
OAuth2 (Open Authorization 2.0) is a widely used authorization framework that allows applications to obtain limited access to user accounts on behalf of a third-party application. It’s commonly used to enable secure and controlled access to APIs and resources without exposing the user’s credentials.
OAuth2 involves various roles, including the resource owner (user), client application (third-party app), authorization server (handles authentication and issues access tokens), and resource server (holds the protected resources). The process revolves around obtaining an access token, which serves as a temporary authorization token that allows the client application to access specific resources on behalf of the user.
Response resp3 = given() .auth() .oauth2(“access_token”) .when().get(“https://api.example.com/resource”); |
With .oauth2(“access_token”), Rest Assured automatically integrates the token into the request.
5. OAuth Authentication
OAuth1, often referred to simply as OAuth, is an earlier version of the OAuth protocol that focuses on granting third-party applications limited access to user resources on various online services. It’s designed to enable secure access to resources without the need for sharing the user’s actual credentials (username and password) with the third-party application.
OAuth1 authentication involves three main parties: the user (resource owner), the client application (consumer), and the resource server (service provider).
Response resp4 = given() .auth() .oauth(“consumerKey”, “consumerSecret”, “accessToken”, “secretToken”) .when().get(“https://api.example.com/resource”); |
Through .oauth(), you provide the required credentials.
OAuth1 vs OAuth2: A Closer Look
In the realm of securing APIs and enabling controlled access to user resources, OAuth1 and OAuth2 stand as prominent players. While they share the same fundamental purpose, these two protocols diverge in their approaches and mechanisms. Let’s delve into their differences and understand how they shape the landscape of authorization.
OAuth1 Example
OAuth1, the predecessor to OAuth2, revolves around the concept of allowing third-party applications to access user resources. One of its distinguishing features is its utilisation of signatures to authenticate requests. This involves generating a signature that encapsulates various parameters, effectively vouching for the integrity of the request.
For instance, when a third-party application seeks access to a user’s resources, it crafts a signature that encompasses elements like the HTTP method, request URI, and credentials. This signature serves as a cryptographic seal, ensuring that the request remains unaltered and genuine.
OAuth2 Example
In contrast to its predecessor, OAuth2 boasts a more streamlined and user-centric approach. Rather than delving into the intricacies of signature generation, OAuth2 emphasises token-based authentication. This approach prioritises both security and user-friendliness.
Imagine a scenario where a user wishes to grant an application access to their resources. OAuth2 orchestrates a dance between three main players: the user, the application, and the authorization server. Through this dance, the application receives an access token—a short-lived, cryptic key. This token, akin to a digital permission slip, grants the application limited access to the user’s resources without revealing sensitive credentials.
Conclusion
In conclusion, authentication and authorization are vital elements in the API automation landscape. They secure your API interactions and ensure that only authorised users access specific resources. With Rest Assured, you can seamlessly integrate various authentication methods, enabling you to create robust and secure automation scripts. So, whether you’re using Basic Auth, OAuth, or any other method, Rest Assured empowers you to automate authentication and authorization in your API tests with ease.
Add comment