Authentication


The Authentication policy allows clients to access the requested resource within the authorized permissions.

Figure: Authentication Policy

If you want to forward the authorized user information to the API,you can select Authenticated User Header Name option.Also, you can change the header name of authenticated username information.

The fields in the Authentication Policy window are entered to add an Authentication policy. A description of these areas is given below.

  • Clear Authentication Information: If this option is enabled, any authentication is received in the request message, and authentication takes place according to the current configuration.
  • Add Client Info to Header: If this option is checked and authentication succeed, Apinizer adds the username/clientId of client to “X-Authenticated-UserId” Header
  • Authentication Methods:
    • Basic: In the simplest way, identifying future values from clients by username and password or by variables you specify when sending requests to the gateway.
    • Basic(Base64): Unlike the basic, the user name and password or the variables you specify when sending requests to the gateway are sent from the clients by Base64 hash method. Example: Submission of the Authorization value in the header of the request
    • Digest: Sending username, password, created, nonce variables from clients when sending request to the gateway.
    • JWT: Below is the description.
    • OAuth2: Below is the description.
  • Variable for Username: The variable definition is selected to get the username from the request message by clicking the Click to select variable link.Click to define a new variable.
  • Variable for Password: The variable definition is selected to get the password from the request message by clicking the Click to select variable link.Click to define a new variable.
  • Identity/Role/Group Service: Select or create an Identity/Role/Group Service to execute authorization process. This value can be empty only if authentication type is JWT or OAuth2. In this case, role based access control is done with the roles in token. If this value is selected even if authentication type is JWT or OAuth2, then another lookup to selected service is done for roles with the username/clientId in the token.
  • Variable for Created: The variable definition is selected to get the creation time from the request message by clicking the Click to select variable link.Click to define a new variable.
  • Variable for Nonce: The variable definition is selected to get the nonce variable time from the request message by clicking the Click to select variable link.Click to define a new variable.
  • Signature Algorithm: Select the signature algorithm on the JWT/JWS that will integrity protect the claims.
  • Expiration Time (minutes): Set lifetime of the token
  • Refresh Count: Set how many times the token is allowed to be refreshed.
  • Grant Type: If you select any grant type except PASSWORD, Role Based Access will not be available.

Other Authentication Methods

JWT

JSON Web Token (JWT) is a more compact and self-described standard by using a JSON object (token) to provide secure data exchange between two or more communicating systems (Web, Mobile, IOT, Cloud, etc.).

Figure: JWT Working logic

Token records are stored in log server.If log server is closed ,tokens doesn’t generate.

JWT Token Request Sending

Token Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Token Request Parameter List
Name Value Description
response_type client_credentials Specifies the kind of response to which the request to send will return
username [your-username] Username to be authorized
password [your-password] Password to be authorized
client_scret [api-secret-key] API Secret Key
  • Sample JWT request:
POST http :// {api-gateway-address}:8010/auth/jwt?grant_type=password&username= {your-username}&password= {password}&client_id= {api-key}&client_secret=-&auth_type=basic
  • After the Token response is obtained, we use the access_token parameter and value to access the resource.
Resource Access Request Header List
Name Value Description
Authorization Bearer [access_token] The obtained access_token is added to the header using the ‘Bearer’ prefix to access the resource.

Figure: Sending a request to the source after obtaining token

Figure: JWT APINIZER Flow Schema

JWT Screen Form Fields Table
Name Description
Identity/Role/Group Service Click the Click to select an Identity/Role/Group Service to select the authentication service from the pop-up window.Click to define a new authentication service.
Signature Algorithm Select the Signature Algorithm to protect the integrity on the JWT / JWS.
Expiration Time (minutes) The time until the token timed out is written in minutes.
Refresh Count Refresh count number of token.

OAuth 2

OAuth2 is a standardized protocol used for authorization processes. The OAuth2 version replaces the original OAuth protocol that emerged in 2006. With OAuth2, you can use the user to access the entire account or part of the account and use it in your own application. Pre-common examples are that you can access other applications or websites with your Facebook, Twitter, and Google account. In addition, you can use this module as your own SSO server.

OAuth 2 Roles

  • Resource owner: The resource owner is the person or application with the data to be shared.
  • Client: A person or application requesting permission to access the resource server and requesting permission to access the resource.
  • Source server: The server that hosts the resources and uses the API.
  • Authorization server: The requesting server that the client sends is an authentication checker. If the client does not have the privilege, the request is blocked.

Prior to accessing the resource, the client must register to the authorization server for authorization. The authorization server responds to the registered clients.

OAuth 2 Compulsory Registration Parameters

  • Client ID: This is the ID number of the client to use when registering.
  • Client Secret: This is the original value that the client uses with ID when registering.
  • Redirect URI: The client that is authorized to access the resource is redirected to this address after authorization. After the login login process, it is redirected to the homepage.

Token records are stored in log server.If log server is closed ,tokens doesn’t generate.

Types of Authorization: Authorizations that the resource owner has recognized to the client. There are 4 types. Each type has its own security character.

Authorization Code: It is used in web and mobile applications. When logging in to our applications, using Facebook and Twitter accounts is an example of this type of authorization. Firstly, the code parameter is obtained and then the value of this code parameter is obtained with the coin. The stages are as follows;

  1. User sends a GET request to the application
  2. Redirected to user provisioning service
  3. User login by entering user name and password
  4. The authentication server verifies the information and redirects the user back to the application
  5. Provides application authorization code
  6. The application sends the code to the authorization service to obtain the token and obtain the token
  7. Application sends request to source server with access token
  8. Source server opens resource after verifying tokens

When the client sends a request containing the [response_type], [client_id], [redirect_uri], [scope] parameters, it is routed to the authorization service. The [code], [state] parameters return in response to the authorization service. After the authorization service response, the response is obtained by sending the [grant_type], [client_id], [client_secret], [redirect_uri], [code] parameters together with the POST method in the request. Response as a JSON object,contains [token_type: Generally set as the ‘Bearer’ prefix], [expires_in: Specifies the amount of time the token will expire], [access_token: the token that you must have to access resources], [refresh_token] fields.

Authentication Code Authorization Request

  • First, a request is sent to obtain the code parameter and value.
Code Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Code Request Parameter List
Name Value Description
response_type code Type of response
client_id [api-key] API Key
client_scret [api-secret-key] API Secret Key
redirect_uri [re-forwarding-address] Request will re-forward to this address.
scope read write Request Scope
  • Sample code request:

    http://127.0.0.1:8091/auth/authorize?response_type=code&client_id=4259a533-a1e3-433b-aa7c-bb955454b7cc&redirect_uri=http://www.google.com&scope=read write
    
  • We need to re-send the code parameter and value that will return as a response for the authorization request

Token Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Token Request Parameter List
Name Value Description
response_type authorization_code Type of response.
code [first-request will be back-from-the-code-value] Used in authorization request.
client_id [api-key] API Key
redirect_uri [re-forwarding-address] Request will re-forward to this address.
  • Sample authentication code authorization request:

    POST  http://apinizer-ip-address:8091/auth/token?grant_type=authorization_code&code={code-value}&client_id={api-key}&client_secret={api-secret-key}&redirect_uri={request-will-re-forward-to-this-address}
    
  • After the token response is obtained, we use the access_token parameter and value to access the resource

Resource Access Request Header List
Name Value Description
Authorization Bearer [access_token] To access the resulting access_token resource, the header is inserted using the ‘Bearer’ prefix.

Figure: Sending request after obtaining token

Figure: Authentication Code Flow Chart

Implicit: Similar to Authentication Code. It is suitable for Single Page Applications. This authorization is not returned as [refresh_token]. The reason for this is to ensure that the user fulfills his or her purpose at the time of token. The access token is not securely stored in the browser.Implicit authentication request contains the following parameters;[response_type : value of parameter must be ‘token’] , [client_id : API key] , [redirect_uri : request will re-forward to this address] , [scope : scope of request] , [state : client status].Implicit authentication response contains the following parameters;[access_token :Usually used with the ‘Bearer’ prefix] , [token_type : client status] , [expires_in : Specifies the length of time that the tokens will expire].

Implicit Authorization Request

  • Unlike the Authentication code authorization, the code request is not sent.
Token Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Token Request Parameter List
Name Value Description
response_type implicit Type of response
client_id [api-key] API Key

Sample implicit authentication request:

POST http://apinizer-ip-address:8091/auth/token?grant_type=implicit&client_id={api-key}
  • After the Token response is obtained, we use the access_token parameter and value to access the resource.
Resource Access Request Header List
Name Value Description
Authorization Bearer [access_token] To access the resulting access_token resource, the header is inserted using the ‘Bearer’ prefix.

Figure: Request with token

In the case of implicit authorization, authentication code is not available, as distinct from the Authentication authorization type. In addition, in this type of authorization, the client does not send the client secret parameter for security reasons. The response token request response does not contain the refresh token parameter.

Figure: Implicit Authentication FlowChart

Client Credentials: Users do not need to authorize this type of authorization. After the user sends the token request, user obtains the token and sends the request to the API and reachs the resource.Client Credentials authentication request contains the following parameters;[grant_type : value must be ‘client_credentials’] , [client_id : API Key] , [client_secret : API Secret Key].

Client Credentials Authorization Request

  • No authorization. Token request is sent directly.
Token Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Token Request Parameter List
Name Value Description
response_type client_credentials Type of request
client_id [api-key] API Key
client_scret [api-secret-key] API Secret Key

Sample Client Credentials authentication request:

POST http://apinizer-ip-address:8091/auth/token?grant_type=client_credentials&client_id={api-key}&client_secret={api-secret-key}
  • After the Token response is obtained, we use the access_token parameter and value to access the resource.
Resource Access Request Header List
Name Value Description
Authorization Bearer [access_token] To access the resulting access_token resource, the header is inserted using the ‘Bearer’ prefix.

Figure: Request with token

Client Credentials authorization type response does not include the refresh token parameter.

Figure: Client Credentials Authentication FlowChart

Password:: Sends the username and password with the client authorization token request. An example of this type of authorization can be given by entering a user name and password. This type of authorization should not be used if there are doubts about the client.Password authentication request contains the following parameters; [grant_type : value must be ‘password’] , [username : username of resource] , [password : password of resource] , [scope :scope of authentication].Password authentication response contains the following parameters; [token_type: Generally set as the ‘Bearer’ prefix], [expires_in: Specifies the amount of time the token will expire], [access_token: the token that you must have to access resources], [refresh_token].

Password Authorization Request

  • Unlike other types of authorization, the username and password are sent.
Token Request Header List
Name Value Description
Content-Type application/x-www-form-urlencoded Content type of request
Token Request Parameter List
Name Value Description
response_type [password] Type of response.
username [username-of-resource-owner]
password [password-of-resource-owner]
client_secret [api-secret-key] API Secret Key

Sample Password Authentication Request:

POST http://apinizer-ip-address:8091/auth/token?grant_type=password&username={your-username}&password={your-password}&client_id={api-key}&client_secret=-
  • After the Token response is obtained, we use the access_token parameter and value to access the resource.
Resource Access Request Header List
Name Value Description
Authorization Bearer [access_token] To access the resulting access_token resource, the header is inserted using the ‘Bearer’ prefix.

Figure: Request with token

Figure: Password Authentication FlowChart

APINIZER OAuth 2 Authentication Table
Name Description
Show API Key Clicking this link opens the Gateway Custom API Key and the Hidden Value window. Clicking the Refresh button will update the values for the API Key and Hidden Value fields.
Grant Type Grant type is selected. Role-based Access is not used in methods other than Password.
Identity/Role/Group Service The Authentication service is selected from the pop-up window by clicking the Click to select Authenticator link.
Redirect URI The URI information to be used for redirection is entered.
Token never expires When this option is selected, the token will not be invalid over time.
Auth Code never expires When this option is selected, Auth code will not be invalid over time.