DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • OWASP TOP 10 API Security Part 2 (Broken Object Level Authorization)
  • API and Security: From IT to Cyber
  • When APIs Go Wrong: Neglecting Rate Limiting
  • Secure Your API With JWT: Kong OpenID Connect

Trending

  • It’s Not About Control — It’s About Collaboration Between Architecture and Security
  • How the Go Runtime Preempts Goroutines for Efficient Concurrency
  • Building Enterprise-Ready Landing Zones: Beyond the Initial Setup
  • Integration Isn’t a Task — It’s an Architectural Discipline
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Authentication: Implementation of Best Practices

API Authentication: Implementation of Best Practices

This article addresses a number of the best practices for implementing API security, including OAuth 2.0, API keys, usernames and passwords, and more.

By 
Brenton House user avatar
Brenton House
·
Sep. 06, 20 · Opinion
Likes (11)
Comment
Save
Tweet
Share
11.1K Views

Join the DZone community and get the full member experience.

Join For Free

Dear Geek,

We are building an API and I am confused as to what kind of security we need? There are so many out there being used ( OAuth 1.0a, OAuth 2.0, SAML, username/password, API Key, JWT, and plenty of others) and I am not sure what the best practices are for implementing API authentication. What advice to you have?

- OVERWHELMED BY SECURITY OPTIONS

Dear Overwhelmed,
There really are a lot of options for security when designing and architecting APIs, but I can help you narrow down things and point you to some best practices for API authentication!

API Strategy

There are several things to take into consideration when looking at security for APIs and it is important to make sure it aligns with your organization's overall security strategy.

Let's look at a few of the most frequently used methods of API authentication.

No Security

You may be thinking about opening up your API to everyone with no security. I would not do this. API security risks are more common than you think. Even if your data is non-sensitive and you may not care who sees your data, you should be thinking about rate limiting in order to protect your resources.

Instead, look into using API Key, which I talk about next.

API Key

This is an option if the data you are presenting is non-sensitive. An API Key is a unique value generated for use by an API client. API Key is not really authentication as it is a way of filtering requests by client. You still have no idea who is using your API with that API Key. Adding an API Key requirement to your API will at least allow you to limit the number of requests per registered client.

Allowing the client to reset the API Key is an important feature as the key might become compromised.

Most APIs will require true authentication which is when a lot architects find themselves looking at OAuth 2.0 which I cover next.

OAuth 2.0

You will see this form of Authentication used on a lot of APIs. This involves an end user authenticating and getting a token that can be used by the client to authenticate with your API. I won't go into details here as the OAuth 2.0 process can be challenging to understand if you're new to this. I will tell you that there are several different OAuth flows and you will need to work with your OAuth 2.0 provider to see which flows they support. OAuth 2.0 does have flows that support server-to-server communication but not all organizations and providers will have these flows enabled.

The one downside to some OAuth 2.0 flows is that it can get pretty ugly. You probably have some awesome designs showing a nice branded login flow for your app or website. But the reality is you will get thrown out of that into something much less branded before completing and getting back to your app.

The other downside is the additional screens themselves. Depending on what the timeout is for your app or website. You might have 3-5 screens and a lot more clicks just to open a link.

There is not much you can do about the downsides as security is more important than aesthetics.

My only point to pointing out the downsides is that you do want to be aware of what OAuth 2.0 flows are supported (and enabled) for your API and what it means for your clients if they are turned off.

Username/Password

Some APIs authenticate with username and password, often in the form of Basic Auth in the header. Even when combined with SSL, this is not a recommended solution for securing your API. You will often see this with older APIs that were created using a webpage paradigm. This also often led to APIs being created that were session-based (or worse, session-based with cookies).

Speaking of session-based APIs. Please don't do this! RESTful APIs are designed to be stateless!

If you are thinking about doing this, first see if your API falls into the one exception to this rule:

Don't do it.

For the love of all that is good. Just don't.

Others

Here are a few of the other authentication methods you might find out there.

JWT

  • Uses a JWT to authenticate. 
  • Easy to setup and use but user must manually manage token creation, etc. 
  • A more secure alternative to API Keys.

OAuth 1.0a

  • Less secure than OAuth 2.0. Just use OAuth 2.0
  • Used for some SSO system. Difficult to use and manage for APIs

API Authentication Recommendations

  • Use OAuth 2.0 but with flows enabled to support server-to-server, device authorization, etc., so you can ensure your API Client are secure while also enabling a great user experience!
  • Use API Key authentication with caution if publishing non-sensitive data
  • Avoid username/password authentication.
  • Avoid maintaining state in your API calls.
Check out more Ask-a-Geek questions and answers here!

API authentication security Implementation

Published at DZone with permission of Brenton House, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • OWASP TOP 10 API Security Part 2 (Broken Object Level Authorization)
  • API and Security: From IT to Cyber
  • When APIs Go Wrong: Neglecting Rate Limiting
  • Secure Your API With JWT: Kong OpenID Connect

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!