In this blog, we will cover the authentication of Ready API. We will start with the discussion of APIs and Ready API in brief. This will help us understand the authentication in Ready API better. The blog will further discuss the types of authentication in brief. Finally, we will address the SSL client auth in detail.
Let’s dive deep into the topic🎯
Prerequisites📃
Before moving to authentication in Ready API, let us first make ourselves familiar with the concept of API and Ready API.😎
What is an API?🤷♀️
In this part, we will briefly discuss an API. API stands for Application Programming Interface. API acts as an intermediate software between two applications and helps them communicate. An API can be understood as a messenger between the application and the user. The user sends the request to the server. The processes of sending the data to the server and retrieving and interpreting the data, and then sending the required result are all done via an API.
What is Ready API🤷♀️
After understanding the API, let us now briefly discuss the Ready API. Ready API is a specific type of API whose primary purpose is to test REST(Representational State Transfer), SOAP(Simple Object Access Protocol), JMS(Java Message Service), GraphQL, and JDBC(Java Database Connectivity) services. It is easy to use and is used to streamline the testing workflows.
What is Authentication in Ready API❓
Authentication in Ready API also means the same as in general use. The term authentication implies making something more secure. We use this term in the context of Ready API similarly. Authentication in Ready API is basically a way to provide a username and a password to a service. This makes the service secure and safe from malpractices. Basic authentication can be added in two ways.
1️⃣Using built-in profiles: This is commonly used when we want to apply different settings to different services.
2️⃣Using external profiles: External profiles are used to help the user and re-use the authentication settings for other services.
An essential step in authentication is to provide authorization profiles to specific requests like SOAP, REST, gRPC, etc. By default, in the same project, Ready API authorizes different requests with the same authorization settings. You can use authorization inheritance if you want to apply the same authorization profile to different requests.
Ways to Manage Request Authorization🤷♀️
There are primarily two ways in which you can manage your request authorization.
1️⃣Using Authorization panel.
2️⃣Using Auth manager
This blog will look at how we can manage request authorization using auth manager.
Auth manager has the information about all the authorization profiles in the current project.
Steps to access the auth manager are as follows
1️⃣Go to the navigator.
2️⃣Go to the API and select any node.
3️⃣Go to the Auth and Security option in the navbar.
4️⃣Finally, select the Auth Manager option.
You will notice two sections in the Auth manager.
📍Auth manager: It helps the user access the project requests. The user assigns different authorization profiles to the requests from here.
📍Auth repository: It allows the user to access the configured profiles in the project. In this, you can create, delete and work on the authorization profiles for the requests.
Types of Authentication in Ready API⭕
Ready API supports different types of authentication. We will have a look at each of the types briefly.
1️⃣Basic authentication
Understanding this type of authentication is the simplest. Basic authentication means providing the service with a username and a password. It primarily has the following types of authorization settings.
📌Username of the service
📌Password for the authentication of the service
📌Incoming WSS: It is used to decrypt incoming messages.
📌Outgoing WSS: It is used to process outgoing requests.
📌Domain name for the authentication
📌Pre-emptive auth: It tells the user if the Ready API waits to send the credentials till the time an authentication challenge occurs.
2️⃣Digest authentication
Digest authentication also means providing the service with a username and password. In digest authentication, the credentials are sent in an encrypted format.
The authorization setting types of digest authentication are the same as the basic authentication.
📌Username of the service
📌Password for the authentication of the service
📌Incoming WSS: It is used to decrypt incoming messages.
📌Outgoing WSS: It is used to process outgoing requests.
📌Domain name for the authentication
📌Pre-emptive auth: It tells the user if the Ready API waits to send the credentials till the time an authentication challenge occurs.
3️⃣NTLM authentication
NTLM stands for New Technology Lan Manager. It is basically used on networks. The systems running on these networks must have a Windows operating system. You can use both built-in and external profiles as and when required in NTLM.
You have to specify the username in the \DOMAIN\USERNAME format. Specify the password and the domain name.
4️⃣Kerberos authentication
This type of authentication is helpful in the case when the user wants to access a remote server but is confused about the authentication type to use. You can access the Kerberos authentication using both built-in and external profiles.
5️⃣OAuth 1
The user uses the OAuth 1 authentication to get access over the HTTP protocol. It is also used for the authentication of manual access of the user. It uses the access tokens in the application for authentication of requests.
It has the following components-
⭕User: The person who requests access is the user.
⭕Consumer: It is any website or application that uses OAuth 1.
⭕Service provider: It is a web application that enables OAuth 1.
⭕Protected resource: It is the data that the user wants to access.
OAuth has mainly two types of tokens- Request tokens and access tokens.
Request token: It simply contains the information used to ask the service for authentication of Ready API.
Access token: It is used to access the resource.
6️⃣OAuth 2.0
OAuth 2.0 deals with third-party applications. It provides limited access to the third-party application to data over an HTTP protocol. It needs an access token in order to authorize the resource.
Four components in OAuth 2.0 are as follows-
⭕Resource server: It hosts the protected resource.
⭕Resource owner: It refers to the person who is the owner of the protected resource.
⭕Client: A user or application sends in the request.
⭕Authorization server: It works with the issuing of access tokens for authorization.
7️⃣HTTP authentication
This is not a built-in type of authentication of Ready API. It uses the authentication forms on a web page. The user needs to log in to the form to start the process. For this purpose, the user needs to make an HTTP request setup.
8️⃣AWS signature authentication
AWS stands for Amazon Web Services. This type of authentication is required for adding authorization to the services of AWS. AWS signature profiles are stored in the Auth manager tab. The components involved in AWS signature authentication of Ready API are
⭕Access key: It specifies the access key of the API.
⭕Service name: It lists the namespaces in the AWS to which the requests are sent.
⭕Secret access key: An encrypted access key for a particular key of API.
⭕Security token: It tells if the user uses temporary security credentials.
⭕Region: It specifies the region where a user sends the request.
⭕Headers: Adds the particular headers.
SSL Client Auth✅
After learning the basics about the authentication of Ready API and their types, let us now discuss the SSL client auth in detail. SSL stands for Secure Sockets Layer. It is a standard certificate to indicate the security of a network. Ready API also makes use of SSL to ensure safety on its platform. When an HTTP connection is set up, there is a need for a certificate from the server that indicates that the connection is secure. The client sends the SSL certificate once the identity is established.
Requirements🙄
1️⃣The user must use a valid certificate that can be trusted.
2️⃣The certificate should have a digital signature and an expiration date.
3️⃣The certificate file must also include the root certificate.
Using SSL Client Certificates For All Requests
1️⃣Go to file in Ready API.
2️⃣Click on Preferences.
3️⃣Open the SSL page.
4️⃣Here, specify the Keystore and the Keystore password as well.
We hope you are now well versed with authentication of Ready API🎯
Frequently Asked Questions
What are the three types of SSL authentication certificates?
The types of SSL authentication certificates are extended validation, domain validation, and organization validation.
Who provides SSL authentication?
Certificate authorities (CA) issue the SSL authentication certificates. It is responsible for everything related to SSL authentication.
What are the two types of access tokens in OAuth 2.0?
The two types of access tokens in OAuth 2.0 are bearer tokens and MAC tokens. MAC tokens are more secure than bearer tokens.
What are refresh tokens?
Refresh tokens are used when the user requires a new access token because the old one has expired.
What do you mean by scope in OAuth 2.0?
Scope tells the level of ownership the user has of the protected resource. Scopes can include only read access or write access in other cases.
Conclusion
In this blog, we discussed the authentication of Ready API. We were first concerned about the APIs and Ready API to make ourselves comfortable with the topic. The blog further explored the meaning of authentication of Ready API and its types. In the end, we finally discussed the SSL client auth in detail.