Best Practices for Securing Your REST API Authentication Options

REST (Representational State Transfer) APIs (Application Program Interface) are a convenient and easy way to grant external programs access to your program’s data and features. This allows those external applications the ability to automatically access and update data in your application on behalf of your users.

Maintaining security is important when relying on a REST API, but there are many ways to authenticate a user’s identity and allow them to access your API endpoint. While it is possible to create a RESTful API that is open to the public, the recommended best practice is to fully restrict access to only appropriate users for each API endpoint. In this article, we are going to discuss a number of methods to authenticate a user to your API endpoint.

Note that all access to API endpoints SHOULD require SSL/TLS security (HTTPS) in order to ensure that a user’s authentication data is not exposed to malicious sources.

Here are some of the best practices for securing your REST API:

Ensuring Client Security with Third-Party Certificates

Through the use of third-party security certificates, you can verify that the server or servers connecting to your API are accurate and secure. This method is best used when you have a predefined set of servers that are going to be accessing your API. This method of securing your API is an extremely reliable option but it should be noted that the process of acquiring a certificate for each user makes it impractical in situations that do not require high-level security with a limited user base.

HTTP Basic Authentication Through Accounts

This method is your standard username and password method. The user will provide a predefined username and password with their request and you authenticate them based on that combination. This method is commonly used when you would like to grant a user direct access to their data through an account, without having to include any additional steps.

Authentication Through HTTP Digest

This is a variation of basic authentication in which the password is sent as a hash, which means it has been combined with an arbitrary number string to help improve encryption. The server then runs the same hashing algorithm on the original password to verify that the provided hash includes the user’s original password. This allows the server to authenticate the user without the plain text password being included with the request.

Authentication Through an API Key

This is similar to basic authentication, but in this situation, you generate a string of characters to use as a key, which you then provide to the user so they can access the API. This method also allows that user to store the API key in a configuration file without exposing their username and password to anyone who has access to that configuration data. If the API key ever becomes compromised, you only have to invalidate the key while your username and password remains uncompromised.

Authentication Through a Java Web Token (JWT)

This method relies on a standardized set of data to be provided as a token with their API requests. There are three parts to the data: a header, a payload, and a signature, which are all base64 encoded JSON data (which anyone could easily read as plain text, so make sure not to include sensitive data in the payload). Here’s a short breakdown of each part:

  • The Header: indicates the method used to encrypt the signature
  • The Payload: Includes the user’s account identifying information and often includes information about what the user is authorized to access
  • The Signature: A combination of the header and payload data, which has been encrypted with a secret key (which you provided to the authorized user in advance)

The Java web token is provided with the API request, which means you can then re-encrypt the header and payload with the secret key to ensure that it matches the signature. If the signature matches, then you know that the data was signed with the secret key you previously provided and can be trusted. At that point, you can use the authentication and authorization information provided in the payload portion of the Java web token to identify the user without needing to look up the user, or having sensitive data included in the token.

Authentication Through oAuth

In this method, the user must first be sent to your site to handle the authentication. The user will log into their account on your site (as well as indicate what data they are authorizing the API to access), at which point you will send the user back to the external site with a token that is tied to their authorization on your site. Now the user is able to provide the token in the API requests to your site to verify who the user is, as well as what data their API can access.

Maintaining Your REST API with Help from CQL

I hope you find this article useful in identifying the best practices for securing authentication options the next time you create a REST API. If you want to know more or have any questions, contact us using the button below. A CQL professional will be in touch.