Authentication and Authorization in Web APIs

Back to: ASP.NET Core Web API Tutorials

Authentication and Authorization in Web APIs

In today’s digital world, security is a top priority for any web-based application or service. As more data and functionality are exposed through Web APIs, ensuring that only legitimate users can access sensitive information becomes crucial. Two fundamental concepts that help achieve this are authentication and authorization. In web applications:

• Authentication verifies a user’s identity when they log in using credentials like a username and password or biometric data.
• Authorization determines what features, pages, or data the authenticated user can access, based on their assigned role or permissions.

This two-step process is essential for maintaining system security, protecting sensitive data, and ensuring that users can only perform actions they are authorized to perform.

What is Authentication?

Authentication is the process by which computer systems confirm and verify the identity of a user or entity attempting to gain access. Authentication answers the fundamental question: Who are you? It is the step where the system asks the user to prove their identity before allowing entry.

In any secure system, whether it’s a bank, a school, an office, or an online service, you don’t want strangers getting in and pretending to be someone else. Therefore, before allowing anyone to access resources (data, money, services, etc.), the system must verify their identity.

How Does Authentication Work?

To understand how authentication works, please refer to the following diagram.

User Provides Credentials: When someone attempts to log in to a system, whether it’s a website, an app, or a secure server, they provide some form of identification, typically referred to as credentials. The most common credentials are:

• Username (or email)
• Password

System Checks Credentials Against a Data Source: The system verifies these credentials against its stored data. This data is typically stored in a secure database, where the system maintains the valid usernames and encrypted passwords of all registered users.

Verification:

• If the credentials match what is stored in the database, the system confirms the user’s identity.
• If they do not match, the system rejects the login attempt.

Access Granted or Denied: Once the system confirms the user’s identity, it allows the user to access the system or resources for which they’re authorized.

Example to Understand Authentication:

Let us understand Authentication from a layman’s point of view. For a better understanding, please have a look at the following image:

Imagine entering a secured office campus of an IT company. At the entrance, a biometric scanner verifies employees before they can enter. Each employee must authenticate their identity by scanning their fingerprint or using another biometric method. The system then checks this biometric data against its stored records. If the fingerprint matches, the employee is allowed to enter the campus.

Within the company, there are various rooms, including the Reception, HR Room, Accounts Section, Cafeteria, Server Room, and Admin Room. However, before accessing the campus itself, authentication is the first step, proving who you are to gain entry.

Similarly, in a web application or system, the user must provide credentials (such as a username and password or biometrics) that are validated before granting access. This verification process, which confirms identity, is what we call Authentication.

What is Authorization?

Authorization is the process of determining what an authenticated user is allowed to do or access within a system. It controls the permissions or privileges assigned to a user after their identity has been verified.

Authorization answers the question: What are you allowed to do? It’s all about permissions, deciding which parts of the system or operations are available to a user.

Even after confirming someone’s identity (authentication), you can’t let everyone do everything. Some users require more power (such as admins), while others should have limited access (like regular users).

How Does Authorization Work?

To understand how authorization works, please refer to the following diagram.

Authentication First: Before authorization happens, the system must have already confirmed the user’s identity through authentication (e.g., username and password check).

Assigning Permissions: Each user is assigned specific roles or permissions that define the actions they can perform and the data they can access. These roles and permissions are typically managed by system administrators or defined by business rules.

Checking Access Rights: When a user attempts to access a specific resource (such as a file, webpage, or API endpoint), the system verifies whether the user’s assigned permissions permit them to perform that action.

Allow or Deny Access:

• If the user has the necessary permissions, the system grants access to the resource or allows the requested action.
• If not, access is denied, often with an error message like 403 Forbidden or Access Denied.

Example to Understand Authorization:

Let us understand Authorization from a layman’s point of view. For a better understanding, please have a look at the following image:

Imagine an IT company building with restricted access to various rooms, including the Reception, HR Room, Accounts Section, Cafeteria, Server Room, and Admin Room. After an employee verifies their identity through biometrics at the entrance (authentication), they are allowed to enter the campus.

However, not every employee has access to all areas. For example:

• Employee 1 can move freely between the Reception and Cafeteria, but does not have access to more sensitive areas.
• Employee 2 has permission to access the Accounts Section and the Admin Room, which may have more confidential information.

These permissions are based on the employee’s role and the privileges assigned to them. The process of determining which specific areas or resources an authenticated employee can access is called Authorization.

Similarly, in web applications, authorization mechanisms ensure that authenticated users can access only certain features or data based on their roles and permissions, thereby protecting sensitive resources from unauthorized use.

Why Do We Need Authentication in a Web API?

Web APIs (Application Programming Interfaces) are designed to allow different software applications to communicate over the internet. Most modern Web APIs follow the REST (Representational State Transfer) architectural style, which has important principles, one of which is statelessness.

What Does Statelessness Mean?

• In a stateless system, the server does not keep any information (session state) about the client between requests.
• Each HTTP request from a client to the server must be self-contained, meaning it must include all information necessary for the server to understand and fulfill the request.
• The server treats every request as new and independent, without relying on past interactions.

Why Does Statelessness Matter for Authentication?

Since the server does not remember the client’s identity from previous requests, authentication information must be included with every request. This ensures the server knows exactly who is making the request at any time.

How Authentication Works in a Stateless Web API?

Client Sends Credentials with Every Request: Since the server has no memory of previous requests, the client must provide proof of identity (credentials) with every request. These credentials can be:

• A token (like a JWT — JSON Web Token)
• Username and password (less common in APIs for security reasons)
• API keys or other authentication headers

Server Validates Credentials: The server checks the received credentials against its data store (database, token validation service, etc.) to confirm the user’s identity.

Access Granted or Denied:

• If the credentials are valid, the server processes the request and sends back the response (like user profile data).
• If the credentials are invalid or missing, the server returns a 401 Unauthorized status code, indicating the client must authenticate properly.

Example to Illustrate

Imagine a mobile app wants to fetch the logged-in user’s profile from a Web API:

• Every time the app sends a request, it includes the user’s authentication token in the request header.
• The server receives the request, extracts the token, and verifies it.
• If the token is valid, the server returns the user profile data.
• If not, the server responds with an error (401 Unauthorized).

Because the server does not keep any session data, this process ensures that:

• Each request is secure and verified independently.
• No unauthorized requests are fulfilled.
• The system remains scalable and stateless, which is important for performance and simplicity.

Types of Authentications in Web Services:

ASP.NET Core Web API supports multiple authentication methods, each designed to fit different security needs and application scenarios. Some of the common types include:

• Basic Authentication: Basic Authentication is one of the simplest authentication mechanisms. The client sends the username and password with every HTTP request, encoded in Base64.
• Token-Based Authentication: Token-based authentication uses a token (like a JWT – JSON Web Token) that the client obtains after the first successful login. This token is then sent with subsequent requests, instead of the username and password.
• OAuth/OpenID Connect: OAuth and OpenID Connect are open standards for authentication and authorization that enable users to authenticate using third-party services, such as Google, Facebook, and Microsoft.

Authentication and authorization form the backbone of security in Web APIs, ensuring that only verified users can access the system and that their actions are properly controlled based on their permissions. By implementing these mechanisms correctly, developers can protect sensitive data, maintain system integrity, and provide a seamless yet secure experience for users. So, mastering authentication and authorization becomes crucial for building trustworthy and scalable applications.

In the next article, I will discuss how to implement Basic Authentication in ASP.NET Core Web API Applications with Real-time Examples. In this article, I explain Authentication and Authorization in Web APIs. I hope you enjoy this article on Authentication and Authorization in Web APIs.