Hello Welcome again, in this post I'm going to explain how authentication is done between the server and the client
Plan
Introduction
keywords
classic session-based authentication
Authentication in REST API
conclusion
INTRODUCTION
On the Internet, to access certain personal or sensitive information such as personal data, your work intranet, read your e-mails, etc., authentication is essential. Many people still wonder how this authentication works. In this article, I'll first explain how classic authentication works, and then explain how REST API authentication works. Enjoy your reading
KEYWORDS
server: is a computer that executes operations in response to requests made by another computer called a "client". This is why we often hear the term "client/server" used.
client: is a hardware or software computing device that requests access to a service provided by a server. Clients are generally considered to be the requesting program or user in a client-server architecture. End-user devices are typically desktops, laptops and smartphones.
Rest Api: An API, or application programming interface, is a set of rules that define how applications or devices can connect and communicate with each other. A REST API is one that conforms to the design principles of the REST (representational state transfer) architectural style. This is why REST APIs are sometimes referred to as RESTful APIs.
Http: The Hypertext Transfer Protocol (HTTP) is the foundation of the World Wide Web, enabling web pages to be loaded using hypertext links. HTTP is an application-layer protocol designed to transfer information between networked devices, and operates on top of other layers in the network protocol stack. A typical HTTP flow involves a client machine making a request to a server, which then sends a response message.
CLASSIC SESSION-AUTHENTICATION
Before learning how authentication works in the rest api, we need to know how basic session-based authentication works.
suppose you want to log into your facebook account for the first time with a new browser (client) you've just installed on your computer or phone or tablet. When you type www.facebook.com into your browser you'll get the login page where you have to enter your username and password to be able to access your account and send messages, read messages, make posts etc... As this is the first time you've connected to your facebook account via this browser (CLIENT). The client will send your username and password to the facebook server saying eeh!! facebook server I'm username and this is my password, I'd like you to connect me to my account. The facebook server will check whether the client's credentials exist in the database and whether the client's information is correct. If they exist and the information is correct, the server will create a session and save the customer's username and password for future use. Once the session has been created and saved, the server will generate a session token (for future connections) and send it to the client (your browser). The client, in turn, will save the session token in the cockies for a given period of time. Now when you want to connect to facebook again via this same browser (client) you won't have to enter your username and password, your browser will directly use the session token if it hasn't expired yet to connect to the session on the facebook server.
REST API AUTHENTICATION
Session-based authentication is not possible with API REST because API REST is stateless, i.e. the server doesn't store any client login information. It sends the response to the client's request and forgets all about it. So to authenticate in the REST API, we use The HTTP Authorization request header
There are several HTTP Authorization request headers, but in this post we'll start with the simplest, which is called Basic auth.
scheme: Authorization: Basic <credentials>
The credential contains the username and password reunited by ":" i.e. username:password and converted to base64 so that it can be understood by the http. To convert a string to base64, see this wikipedia article on base64 en.wikipedia.org/wiki/Base64?wt.mc_id=stude... Depending on your programming language, you can find out how to do this.
- Basic auth - client side
- Basic auth - server side
Base64 encoding: this is not secure
Always send requests via https and not http. You'll probably wonder why you should convert to base64 if it's not secure. You'll probably wonder why you should convert to base64 if it's not secure. You're right, by the way, base64 encoding allows you to convert non-HTTP-compatible characters, not for security reasons. so security is not the objective of the encoding step. Rather, the purpose of encoding is to encode non-HTTP-compatible characters that may appear in the username or password into HTTP-compatible characters. HTTP-compatible characters. https://en.wikipedia.org/w/index.php?title=Basic_access_authentication&oldid=339510542
Advantages:
- Simple
- Stateless server
- Supported by all browsers
Disadvantages:
- Requires HTTPS
- Subject to replay attacks
- "Logout" is tricky (Browser caching)
Better Solutions
- Digest access authentication (https://en.wikipedia.org /wiki/Digest_access_authentication)
- Asymmetric cryptography (https://en.wikipedia.org/wiki/Public-key_cryptography)
- OAuth (https://en.wikipedia.org/wiki/OAuth) JSON Web Tokens (https://en.wikipedia.org/wiki/JSON_
CONCLUSION
I'd like to express my sincere gratitude to you, dear readers, for taking the time to read this article. Your commitment and interest are the driving force behind my passion for sharing knowledge. Your feedback is invaluable, and I encourage each and every one of you to share your suggestions, comments and ideas. Your feedback helps me to continually improve my content and better meet your expectations. Please feel free to leave your impressions and suggestions in the comments section below. I'm always open to your contributions and look forward to continuing this enriching dialogue.