Authorization methods are used in API’s to ensure that the user has permission for specific action or to access certain data. Authorization in postman means identifying or validating the authorized user to access the API’s endpoint and perform actions.Here we will see different types of Authorization methods that postman supports.
Authorization vs Authentication
Authorization and authentication are related but two different concepts. Authentication means to verify the user or client whom they claimed to be. For example giving their username and password to get access to a system or resources.
Authorization means giving access or permission to a resources or functionality based on their user permission or role.
Once user is authenticated, authorization determines which actions or data they are allowed to access.
Types of Authorization in Postman
No Auth
Basic Auth
Bearer Token
OAuth 1.0
OAuth 2.0
API Key
Digest Auth
Hawk Auth
Generating signed JWTs
Setting up Authorization in postman
Open postman application. Either create a new request or open an existing request
In the request builder, go to “Authorization tab” which is present under the url tab input field
From the drop down menu, select the authorization method based on your API’s requirement, like NoAuth, Basic Auth, Bearer token etc.,
Enter the necessary credentials based on your authorization method
Once Configured, the authorization will be applied to the request automatically.
With configured authorization, send request to the endpoint and check the response to access the desired resources.
Now let’s see how to configure some of these authorization methods in detail.
No Auth
It is the siple type of authentication where there is no need to give any credentials to access the API. This type will be used for public API’s where everyone can access the API.
Basic Auth
Basic Auth is the role based authorization. This is the most common type of authorization. It needs a username and a password to get the access from API. you need to give the type of Authorization as Basic Auth under the type section. The sample screenshot is given above. If you select Basic Auth, it will give input field for username and password. After giving credentials, it will be encoded and included in the API request as an Authorization header. This is used in the HTTP request to pass authentication credentials to the server.
For example, if username is “TestUser” and password “login”, it will be combined to one string like “TestUser:login” is then encoded using Base64 and resulting in encode format like “blrteY6rEW5nblrteulamNxTYP=”. The encoded string then added to the text ‘Basic’. This string is set as the value of the Authorization header in the HTTP request.
For Extra security, there is an option for storing these values in variables.Here are the steps to how to do that,
Create an Environment: To create an Environment, go to top right corner of window, you can see an Eye icon with No environment selected by default.
Click on the eye icon besides No Environment drop down tab, Click on add in the Environment tab.
Now you will get another window to create variables. There you can create username, password variable.
To Keep password as a secret variable, select secret from the drop down. By default you can see the value of the variable if you hover over. But if you give it as secret, then value of the variable will be kept hidden. After giving values to the variables, save it.
Now go to request tab and select environment.
Give the variable names in the corresponding input field as shown in the picture.
To get the value of variable, the syntax is {{variable-name}}
Ex: {{Username}} {{Password}}
In the above picture, you can see the value of the ‘Username’ variable as ‘TestUser’
Now if you hover over the password variable,
You wont be able to see it, since it is secret. Hence it is kept hidden.
We have successfully created the environment. Now save and send the request.
Bearer Token:
This is token based authorization. The name ‘bearer token’ itself explains ‘give access to the bearer of this token’. It involves the use of tokens to authorize access to resources. Token is nothing but string of characters that gives authorization to access the resources.
1.Get the bearer token - we need to get the bearer token by making a request to the server and exchanging credentials for a token. You can get these details from api documentation. Give credentials and get the token.
2.Now go to ‘Authorization tab’ and select ‘ Bearer Token’ option.
3.In the token field, Enter the token value that you got.
4. With the bearer token added to the header, now we can make the request.
5. Postman will append the token value with the text ‘Bearer’ in the request Authorization header.
When the API receives the request, it will check the Bearer Token to validate that the requested client is authorized to access the resource.
API Key:
API key uses key-value pair to the API both inside the request headers or query parameters. In the request Authorization tab, select API Key from the drop down box.Now it will give you input field for api key- value. Enter the key name and key value and choose either header or query params from the dropdown. You can keep your values in variables for extra security. In the screenshot below, you can see how to do it.
After giving appropriate details save it and make the request. Now postman will add the necessary details either in request header or in the query params.
OAuth 1.0:
This method uses the help of third-party API for authentication process. As a user of service, we have right to share our data with another application. In this method, requests are performed between the service provider, the user and the client application.
It has two types as shown below,
Two-legged: Only client and server will be involved in the process
Three-legged: client requests a third party API for user data access.
It is the secure way to authenticate API requests. But it is more complex to implement than OAuth 2.0. In postman we need to manually manage the OAuth tokens and ensure they are correctly added to the request headers. Inspite of its difficulties, OAuth 1.0 is sill widely used. Because it gives a secure and reliable way to authenticate API requests in postman.
OAuth 2.0
In this method, your first step is to get an access token from API. By using that token, you can authenticate all of your requests.
Summary:
Postman supports various types of authorization methods. In this article, we have seen about NoAuth, Basic Auth, Bearer token, API key, OAuth1.0 and OAuth2.0 in this article and also about to create environment and store the credentials/tokens in variables for extra security. Once the user configure these method in the authorization tab and giving the necessary credentials or tokens, postman will added it to the request header in the desired format. This ensures the secure way of communication and access management between client and server.
Thanks for visiting my Blog :) Happy Reading!!
Kommentare