Mohamed Abbas | Architect Magento | Tech Blogger | Magento Trainer

Mohamed Abbas
Mohamed Abbas
Architect Magento | Tech Blogger | Magento Trainer

How To Secure Magento API

Magento 2 provides three types of API Authentication.

 

  • Token based authentication

 

  • OAUTH based authentication

 

  • Session Based Authentication

 

1.Token based authentication

What Is Token-based Authentication? Token-based authentication is a protocol that generates encrypted security tokens. It enables users to verify their identity to websites, which then generates a unique encrypted authentication token.

 

Token-based authentication is a protocol that generates encrypted security tokens. It enables users to verify their identity to websites, which then generates a unique encrypted authentication token. That token provides users with access to protected pages and resources for a limited period of time without having to re-enter their username and password.

 

Token-based authentication works through this five-step process

 

  • Request: The user logs in to a service using their login credentials, which issues an access request to a server or protected resource.

 

  • Verification: The server verifies the login information to determine that the user should have access. This involves checking the password entered against the username provided.

 

  • Token submission: The server generates a secure, signed authentication token for the user for a specific period of time.

 

  • Storage: The token is transmitted back to the user’s browser, which stores it for access to future website visits. When the user moves on to access a new website, the authentication token is decoded and verified. If there is a match, the user will be allowed to proceed.

 

  • Expiration: The token will remain active until the user logs out or closes the server.
Request for Customer Token
				
					Customer token: /V1/integration/customer/token
Request for Admin Token
				
					Admin Token: /V1/integration/admin/token

2.OAuth-based authentication

OAuth authentication with Adobe Commerce and Magento Open Source is based on OAuth 1.0a, an open standard for secure API authentication. OAuth is a token-passing mechanism that allows a system to control which third-party applications have access to internal data without revealing or storing any user IDs or passwords.

 

In Commerce, a third-party application that uses OAuth for authentication is called integration. An integration defines which resources the application can access. The application can be granted access to all resources or a customized subset of resources.

 

As the process of registering the integration proceeds, Commerce creates the tokens that the application needs for authentication. It first creates a request token. This token is short-lived and must be exchanged for an access token. Access tokens are long-lived and will not expire unless the merchant revokes access from the application.

OAuth authentication process

The following diagram shows the OAuth authentication process. Each step is described further.

 

1) Create an integration:- The merchant creates an integration from Admin. Commerce generates a consumer key and a consumer secret.


2) Activate the integration:- The OAuth process begins when the merchant activates the integration. Magento sends the OAuth consumer key and secret, an OAuth verifier, and the store URL to the external application via HTTPS post to the page defined in the Callback Link field in Admin.


3) Process activation information:- The integrator must store the activation information received in step 2. These parameters will be used to ask for tokens.


4) Call the application’s login page:- Commerce calls the page defined in the Identity Link field in Admin.


5) Merchant logs in to the external application:- If the login is successful, the application returns to the location specified in the call. The login page is dismissed.


6) Ask for a request token:- The application uses the POST /oauth/token/request REST API to ask for a request token.


7) Send the request token:- Commerce returns a request token and request token secret


8) Ask for an access token:- The application uses the POST /oauth/token/access REST API to ask for an access token.


9) Commerce sends the access token:- If this request is successful, Magento returns an access token and access token secret.


10) The application can access Magento resources:- All requests sent to Commerce must use the full set of request parameters in Authorization header.

 

OAuth handshake details

The process of completing the OAuth handshake requires that you,


  • Get a request token

  • Get an access token

The response contains these fields:

 

1).Oauth_token:- The token to be used when requesting an access token.


2).Oauth_token_secret:- A secret value that establishes ownership of the token.

 

3). Session-based authentication

As a customer, you log in to the storefront with your customer credentials. As an admin, you log in to the Admin with your admin credentials. The web API framework uses your logged-in session information to verify your identity and authorize access to the requested resource.

 

Customers can access resources that are configured with anonymous or self permission in the webapi.xml configuration file. Admins can access resources that are assigned to their Admin profile.

 

For example, If a customer is logged in to the storefront and the JavaScript widget invokes the self API, details for the logged-in customer are fetched:

				
					GET /rest/V1/customers/me

If an admin is logged in to the Admin and the JavaScript widget invokes the Magento_Customer::group API, details for the logged-in admin are fetched.

The web API framework establishes the identity of the admin user based on logged-in session information and authorizes access to the Magento_Customer::group resource.

 

Admin session-based authentication is not currently possible for API endpoints.

 

conclusion

In conclusion, securing the Magento API is of utmost importance to protect your e-commerce platform, sensitive data, and maintain the trust of your customers. By implementing a robust security framework, you can mitigate the risk of unauthorized access, data breaches, and other potential threats.

 

Here are some key points to consider:

 

These best practices and maintaining a proactive approach to security, you can significantly enhance the security of your Magento API. Remember that security is an ongoing process, requiring constant monitoring, updates, and adaptation to evolving threats. Prioritizing the security of your Magento API demonstrates your commitment to protecting your customers and their sensitive information, fostering trust in your e-commerce business.