How to Handle Authorization in Rest-Assured API Automation
Results-driven SDET with expertise in automation frameworks, API testing, and CI/CD pipelines. Proficient in Selenium, Appium, Postman, JUnit, TestNG and Jenkins. Skilled in Java and performance testing, ensuring high-quality software delivery in Agile environments.
Resource access control in API testing is achieved through authorization. This article demonstrates common authorization schemes with Rest Assured code examples.
key types of authorization:
1. Basic Authentication
Description: This method involves encoding the username and password in Base64 and sending it within the
Authorizationheader. While simple, it's considered less secure due to the nature of Base64 encoding.Rest Assured Example:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .auth() .preemptive() .basic("username", "password") .when() .get("/secured-endpoint") .then() .statusCode(200) .extract().response();
2. Bearer Token Authentication
Description: This method utilizes a token, commonly a JSON Web Token (JWT), passed in the
Authorizationheader with theBearerprefix. This is a widely used and secure approach.Rest Assured Example:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .header("Authorization", "Bearer your_token_here") .when() .get("/secured-endpoint") .then() .statusCode(200) .extract().response();
3. API Key Authentication
Description: API keys are used to authenticate requests, often passed as a query parameter or within a header. This method offers flexibility in implementation.
Rest Assured Examples:
Query Parameter:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .queryParam("apikey", "your_api_key_here") .when() .get("/endpoint") .then() .statusCode(200) .extract().response();Header:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .header("x-api-key", "your_api_key_here") .when() .get("/endpoint") .then() .statusCode(200) .extract().response();
4. OAuth 2.0 Authorization
Description: OAuth 2.0 is an industry-standard protocol designed for delegated access, enabling users to grant limited access to their resources without sharing their credentials.
Rest Assured Example:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .auth() .oauth2("your_oauth2_token_here") .when() .get("/secured-endpoint") .then() .statusCode(200) .extract().response();
5. Digest Authentication
Description: Digest Authentication provides enhanced security compared to Basic Authentication by employing a challenge-response mechanism.
Rest Assured Example:
import io.restassured.response.Response; import static io.restassured.RestAssured.given; Response response = given() .auth() .digest("username", "password") .when() .get("/secured-endpoint") .then() .statusCode(200) .extract().response();
In Summary:
Basic Authentication: Simple, but less secure credentials in Base64.
Bearer Token Authentication: Secure, uses tokens (JWTs).
API Key Authentication: Flexible, keys in headers or parameters.
OAuth 2.0: Standardized, secure, delegated access.
Digest Authentication: More secure than Basic, challenge-response.
