Updated April 18, 2023
Introduction to Authorization Types
Authorization is the process of defining access rights/privileges to resources, which is connected to information security in general and computer security in particular, as well as access control. Individual files or an item’s data, computer programs, computer devices, and computer application capabilities are all examples of resources. Computer users, computer software, and other computer hardware are examples of customers. Authorization is a function of the policy definition phase, which comes before the policy enforcement phase, in which access requests are accepted or denied depending on the authorizations that have been defined previously.
There are four types of Authorization – API keys, Basic Auth, HMAC, and OAuth.
1. API keys
In order to utilize most APIs, you must first sign up for an API key. The API key is a long string that is typically included in the request URL or header. The API key is mostly used to identify the person who is performing the API call (authenticating you to use the API). The API key could potentially be linked to a specific app you’ve registered. You may receive both public and private keys from APIs. The public key is normally included in the request, whereas the private key is used primarily for server-to-server communication and is treated more like a password. When you log in to some API documentation sites, your API key is automatically supplied into the sample code and API Explorer.
2. Basic Auth
Basic Auth is another type of authorization. The sender inserts a username: password into the request header using this way. Base64 is an encoding technique that turns the login and password into a set of 64 characters to ensure secure transmission. APIs that support Basic Auth will also support HTTPS, which encrypts the message content within the HTTP transport protocol. (Without HTTPS, hackers could easily decipher the username and password.) The API server decrypts the message and checks the header when it receives it. It chooses whether to accept or refuse the request after decoding the string and assessing the username and password. HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.
HMAC stands for Hash-based Message Authentication Code. It is a digital signature algorithm designed to reuse the message digest Algorithm like MD5 and SHA-1 and provide an efficient data integrity protocol mechanism. As HMAC is used to encrypt the plain text in a secure manner, it is being used in Secure Socket Layer protocol, SSL certificate and has been chosen as a mandatory security implementation for the internet protocol, i.e. IP. There are 7 steps involved in the Hash-based Message Authentication Code.
Step 1: Make the length of the symmetric key equal to several bits in each block.
Step 2: XOR symmetric with a pad.
Step 3: Append the original message to S1.
Step 4: Apply the message-digest algorithm.
Step 5: XOR symmetric key with a pad.
Step 6: Append H to S2.
Step 7: Message digest algorithm.
The important point is that only the sender and receiver have access to the secret key (which is required to reconstruct the hash). The request does not include the secret key. When you want to make sure a request is both authentic and hasn’t been tampered with, you use HMAC security.
Another type of authorization is OAuth, open access delegation standard that allows Internet users to grant websites or applications access to their information on other websites without having to give them their passwords. Companies like Amazon, Google, Facebook, Microsoft, and Twitter employ this technology to let users to exchange information about their accounts with third-party applications or websites. On behalf of a resource owner, OAuth grants clients “secure delegated access” to server resources. It outlines how resource owners can grant third-party access to their server resources without having to provide credentials. OAuth is a protocol that allows an authorization server to provide access tokens to third-party clients with the permission of the resource owner. It was created expressly for use with the Hypertext Transfer Protocol (HTTP). The third party then uses the access token to gain access to the resource server’s protected resources.
Here, in this article, we have discussed four types of authorization as API keys, Basic Auth, HMAC, and OAuth. Each method is important in its own way to secure the data.
This is a guide to Authorization Types. Here we discuss the introduction, four types of authorization respectively. You may also have a look at the following articles to learn more –