How to Handle Authorization in Rest-Assured API Automation

Resource access control in API testing is achieved through authorization. This article demonstrates common authorization schemes with Rest Assured code examples.

key types of authorization:

1. Basic Authentication

• Description: This method involves encoding the username and password in Base64 and sending it within the Authorization header. While simple, it's considered less secure due to the nature of Base64 encoding.

• Rest Assured Example:

    import io.restassured.response.Response;
    import static io.restassured.RestAssured.given;
  
    Response response = 
            given()
                .auth()
                .preemptive()
                .basic("username", "password") 
            .when()
                  .get("/secured-endpoint")    
            .then()
                 .statusCode(200)
                 .extract().response();
  

2. Bearer Token Authentication

• Description: This method utilizes a token, commonly a JSON Web Token (JWT), passed in the Authorization header with the Bearer prefix. This is a widely used and secure approach.

• Rest Assured Example:

    import io.restassured.response.Response;
    import static io.restassured.RestAssured.given;
  
    Response response = 
    given()
        .header("Authorization", "Bearer your_token_here")
    .when()
        .get("/secured-endpoint")
     .then()
        .statusCode(200)
        .extract().response();
  

3. API Key Authentication

• Description: API keys are used to authenticate requests, often passed as a query parameter or within a header. This method offers flexibility in implementation.

• Rest Assured Examples:

  • Query Parameter:

      import io.restassured.response.Response;
      import static io.restassured.RestAssured.given;
    
      Response response = 
      given()
          .queryParam("apikey", "your_api_key_here")
      .when()
          .get("/endpoint")
      .then()
          .statusCode(200)
          .extract().response();
    

  • Header:

      import io.restassured.response.Response;
      import static io.restassured.RestAssured.given;
    
      Response response = 
      given()
          .header("x-api-key", "your_api_key_here")
      .when()
          .get("/endpoint")
      .then()
          .statusCode(200)
          .extract().response();
    

4. OAuth 2.0 Authorization

• Description: OAuth 2.0 is an industry-standard protocol designed for delegated access, enabling users to grant limited access to their resources without sharing their credentials.

• Rest Assured Example:

    import io.restassured.response.Response;
    import static io.restassured.RestAssured.given;
  
    Response response = 
    given()
        .auth()
        .oauth2("your_oauth2_token_here")
    .when()
        .get("/secured-endpoint")
    .then()
        .statusCode(200)
        .extract().response();
  

5. Digest Authentication

• Description: Digest Authentication provides enhanced security compared to Basic Authentication by employing a challenge-response mechanism.

• Rest Assured Example:

    import io.restassured.response.Response;
    import static io.restassured.RestAssured.given;
  
    Response response = 
    given()
        .auth()
        .digest("username", "password")
    .when()
        .get("/secured-endpoint")
    .then()
        .statusCode(200)
        .extract().response();
  

In Summary:

• Basic Authentication: Simple, but less secure credentials in Base64.

• Bearer Token Authentication: Secure, uses tokens (JWTs).

• API Key Authentication: Flexible, keys in headers or parameters.

• OAuth 2.0: Standardized, secure, delegated access.

• Digest Authentication: More secure than Basic, challenge-response.