Scribd
Upload
9 views

Different Types of Auth for API

Uploaded by

Sanjeev Kumar Sahu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

Different Types of Auth for API

Uploaded by

Sanjeev Kumar Sahu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Different Types of

Authentication in Rest Assured


BHAVIN THUMAR

IN

bhavin-thumar
Authentication vs. Authorization:
Understanding the Basics

Authentication means verifying a user's or


application's identity when accessing an API. It
tries to answer the question, “Who are you?”.

Common authentication methods include Basic


Auth, Digest Auth, OAUTH, API keys, Bearer tokens,
and more. Proper authentication ensures that only
legitimate users gain entry.

Authorization usually happens after authentication


and is the process of granting or denying access
based on a user’s or application’s permissions. It
answers the question, “What are you allowed to
do?”.

bhavin-thumar
HTTP Status Codes 401 and 403

When dealing with authentication and authorization,


you’ll often encounter two HTTP status codes: 401
Unauthorised and 403 Forbidden.

401 Unauthorised: This code signifies that the


client lacks valid authentication credentials. In
other words, the client needs to provide valid
credentials to proceed.
403 Forbidden: The 403 code indicates that the
client’s authentication credentials are valid, but
they don’t have the necessary permissions to
access the requested resource. It’s a firm denial
of access.

bhavin-thumar
Different Authentication Methods
in Rest Assured:

1. Basic Authentication:

Basic Authentication, a straightforward method


employed in web apps and APIs, entails sending
credentials (username and password) with every
request to validate the requester’s identity. This
approach, widely supported and easy to implement,
is often used to secure resources. It’s preferred
when simplicity and efficiency are paramount.

Through .auth().basic(“username”, “password”),


Rest Assured configures the request with your
credentials.

bhavin-thumar
2. Pre-emptive Authentication

Pre-emptive Authentication is an authentication


strategy employed in HTTP clients to proactively
send authentication credentials with the initial
request, rather than waiting for the server to
respond with a 401 Unauthorized status code.

In the context of Rest Assured and other HTTP


client libraries, pre-emptive authentication means
sending authentication credentials in the very first
request, even before receiving any response from
the server. This can be especially useful when
dealing with APIs that require authentication for
every request and do not challenge with a 401
status code.

By using .preemptive() before .basic(), Rest Assured


takes the initiative in including the credentials.

bhavin-thumar
3. Digest Authentication

Digest Authentication is an authentication


mechanism used in HTTP to enhance the security
of Basic Authentication. It addresses some of the
security vulnerabilities present in Basic
Authentication, such as the transmission of
credentials in plain text, by using a more secure
approach. Digest Authentication challenges the
client with a server-generated nonce (a unique
token) and requires the client to respond with a
hashed value of the nonce, username, password,
and other request-specific information.

Through .digest(“username”, “password”), Digest


Authentication is configured.

bhavin-thumar
4. OAuth2 Authentication:

OAuth2 (Open Authorization 2.0) is a widely used


authorization framework that allows applications to
obtain limited access to user accounts on behalf of
a third-party application. It’s commonly used to
enable secure and controlled access to APIs and
resources without exposing the user’s credentials.

OAuth2 involves various roles, including the


resource owner (user), client application (third-party
app), authorization server (handles authentication
and issues access tokens), and resource server
(holds the protected resources). The process
revolves around obtaining an access token, which
serves as a temporary authorization token that
allows the client application to access specific
resources on behalf of the user.

bhavin-thumar
5. OAuth Authentication

OAuth1, often referred to simply as OAuth, is an


earlier version of the OAuth protocol that focuses
on granting third-party applications limited access
to user resources on various online services. It’s
designed to enable secure access to resources
without the need for sharing the user’s actual
credentials (username and password) with the
third-party application.

OAuth1 authentication involves three main parties:


the user (resource owner), the client application
(consumer), and the resource server (service
provider).

Through .oauth(), you provide the required


credentials.

bhavin-thumar

You might also like