In the last section, we discussed that a resource owner does not allow access to the resources to everyone in the company. Later in the tutorial, we will try to access the same API using the credentials as we discussed in the last section.
#POSTMAN LOGIN TEST CODE#
The status code and response from the server indicate that we are not authorized to access the API we are trying to access( See Responses tutorial to learn more**). Note: The status code is 401 which corresponds to unauthorized access and the response message says Unauthorized. Create a GET request and enter the endpoint as.Authorization using Postman Checking Authorizationįor this chapter, we will be using the endpoint We will see the following short example to tell you how does a server rejects an unauthorized person.
If you have access to the resource, then you will be granted access to the resource (Authorized). If it is, you are good to go (Authentication). When a person accesses the server with the key/password, the server checks whether the person is available in the directory and is also associated with the same key/password. So in layman terms Authentication tells who you are while Authorization tells what you can do. Whereas Authorization is a process of allowing or denying someone from accessing something, once Authentication is done. Here system can be anything, it can be a computer, phone, bank or any physical office premises. This enables the system to ensure and confirm a user’s identity. These credentials tell the system about who you are. In this section, we will clear the confusion about these two terms.Īuthentication is a process of presenting your credentials to the system and the system validating your credentials. These two terms can also be confusing at first. Authorization Vs AuthenticationĪuthorization and Authentication are two closely related terms. Only authorized people can access the secured APIs. It is not necessary that everyone will have access to all the APIs. Similarly, while there could be many APIs in a company or a project. You and your sister can open the same mobile phone, which means only you and your sister are authorized to open the phone and see the data. For example, let us say you have added your and your sister's fingerprint to your phone. If the answer is No, we can say that we are not Authorized to access the resource. A login window like the Microsoft one is one for user accounts which is something totally different.The meaning of authorization can be seen as a question which is, are we eligible to access a secured resource on the Server? If the answer is yes, then in technical terms we can say that we are Authorized to access the resource. In other words, Postman auth in any POST or GET call is just a way to tell the remote server they can trust you because you identify yourself. So you would still use an auth to allow the API call and a (hopefully different) auth for the actual login url as params. If, on the other hand, you have a separate login call that this is all it does, logging in, then yes, you can use Postman to login, BUT, keep in mind that the login auth info would not AND SHOULD NOT be the same as the API call login info. And what you would do in Postman is simulate that call and the Postman login would be to allow it to call endpoints. It's an internal auth, like a sort of a "technical" user. So what your (theoretical) shop's partner does is use some auth method (as you said, Basic Auth) to call the endpoint that results into adding an item into the cart for purchase.īut this auth is not what the client uses to log in to your partner or your site. The question is, how do they do that? How do you stop abuse from a malicious user? Simple: you add authentication. In our example, they would call your API (for example, adding an item in the cart). For example you let another site (the partner/sponsor) add items for your common client from his site (instead of him having to logout of that site then login to your site, it's easier and your partnership makes both sites profitable, let's say for our example - so their site would be more like a sort of forwarder - when the user adds an item on the partner's site, they actually add it in the cart on your site). So imagine you have an online shop and you expose your API to a third party (let's say a sponsor or partner). The authentication in Postman is related to webservice calls. Postman is not a browser so it doesn't "log in".
0 kommentar(er)
