chevron-up bell reply instagram twitter2 feed3 finder search-25px-p0

RESTful API with Authentication (Part 1)


RESTful API is a protocal based on HTTP. Sometimes we want to encrypt the RESTful API content while using. There are three encryption in practise:

1. HTTP Basic Authentication
HTTP supported a simple and basic authentication natively, namely put an extra field named Authorization: Basic em1rOjEyMzQ1Ng== in the header. i.e. We can let our clients login with username and password. Here, em1rOjEyMzQ1Ng== is encrypted by Base64. In practise, we DON'T recommend to use this way, as Base64 is very easy to decrypt.

2. Access Token
When clients login with correct username and password, server will generate an Access Token and assign an Expiry Date on it. Every time, when a request is made by client, Access Token must be attached to it, and will be verified by server. When client logs out, server will destroy this Access Token.

The benefits of this approach is easy to implement for current resources, but the drawback is obvious too. Access Token can be captured using tools such as WiredShark. If the server set the Expiry Date too long, clients may get all the resources any time they want.

3. API Key + Security Key + Sign
This way is commonly used and can be divided into few steps:

  • Step 1: User login successfully and server returns with api_key and security_key;
  • Step 2: On the user's (client) side, security_key, api_key, api_endpoint, timestamp, and request_parameters are used to create a sign
  • Step 3: Whenever user want to make a new request, sign, api_key, api_endpoint, timestamp and request_parameters are sent to server
  • Step 4: Server takes above 5 fields, validate the timestamp and check the sign based on api_key and security_key.

One of the implementation is JWT, In next article, I will demonstrate how JWT works and some simple examples.

Related Post: RESTful API with Authentication (Part 2)