Scribd
Upload
4 views7 pages

Authentication Techniques

The document outlines essential authentication techniques for testers and engineers in 2025, including Basic Authentication, Token-Based Authentication, OAuth 2.0, and API Key Authentication. Each technique is described with its use cases, drawbacks, and example code snippets for implementation. Additionally, it addresses common interview questions related to securing API keys, handling expired tokens, and testing negative authentication scenarios.

Uploaded by

Bipul Mondal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views7 pages

Authentication Techniques

The document outlines essential authentication techniques for testers and engineers in 2025, including Basic Authentication, Token-Based Authentication, OAuth 2.0, and API Key Authentication. Each technique is described with its use cases, drawbacks, and example code snippets for implementation. Additionally, it addresses common interview questions related to securing API keys, handling expired tokens, and testing negative authentication scenarios.

Uploaded by

Bipul Mondal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

AUTHENTICATION TECHNIQUES E VERY TESTER & ENGINEER

SHOULD KNOW IN 2025

1 . BASIC AUTHENTICATION
What it is: Username + p assword (Base64 enco ded
in headers)
Use case: Simple interna l APIs
Drawb ack: Not secure unless used with HTTPS

RESTASSURED CODE:

given()
.auth().preemptive().b asic("username",
"p assword")
.when()
.get("/users")
.then()
.statusCo de(200);

HOW DOES BASIC AUTH WORK IN REST API TESTING?

I t enco des username:p assword in Base64 and


p asses it in the Authorization header.
I t’s stateless but insecure unless used with HTTPS.

SWIPE
AUTHENTICATION TECHNIQUES E VERY TESTER & ENGINEER
SHOULD KNOW IN 2025

2 . TOKEN-BASED AUTHENTICATION
What it is: After lo gin, a server gives you a token
(like a key)
How it works: Client stores the token and sends it
with each request
Use case: Stateless apps, REST APIs
Example: JWT (JSON Web Tokens)

RESTASSURED CODE:
given()
.header("Authorization", "Bearer " + token)
.when()
.get("/profile")
.then()
.statusCo de(200);

WHAT IS TOKEN-BASED AUTHENTICATION AND HOW DOES


IT WORK?
After lo gin, the server returns a token.
This token is sent in headers with each API request
to authorize the user.

SWIPE
AUTHENTICATION TECHNIQUES E VERY TESTER & ENGINEER
SHOULD KNOW IN 2025

3. OAUTH 2 .0

What it is: Delegated access i.e. gives p ermission


without sharing your p assword
Rea l time use: Lo gin with Go o g le , Faceb o ok,
LinkedIn
Idea l for: Third p ar ty app access (e.g., Slack using
your Go o g le ca lendar)

RESTASSURED CODE:

given()
.auth().o auth2(accessToken)
.when()
.get("/user-info")
.then()
.statusCo de(200);
WHAT IS OAUTH 2 .0 AND HOW DOES IT DIFFER FROM
TOKEN AUTH?

OAuth 2 .0 is a delegated authorization proto col, a llowing


third-p ar ty apps to access user resources without exp osing
credentia ls.
I t uses tokens, but with p ermission scop es and flows like
Authorization Co de or Client Credentia ls.

SWIPE
AUTHENTICATION TECHNIQUES E VERY TESTER & ENGINEER
SHOULD KNOW IN 2025

4. API KEY AUTHENTICATION

What it is: A unique key p assed in headers or URL


Use case: Quick access to APIs (used in Postman,
Fireb ase , etc.)
Downsi de: Less secure , as keys can b e exp osed

RESTASSURED CODE:
given()
.header("x-api-key", "a b cd1234")
.when()
.get("/weather ")
.then()
.statusCo de(200);

WHAT IS API KEY AUTHENTICATION AND WHERE IS IT


USED?

An API key is a unique token p assed in headers or query


p arams.
Used in develop er APIs (e.g., Go o g le Maps,
Op enWeather).

SWIPE
AUTHENTICATION IN API TESTING – FREQUENTLY ASKED
INTERVIEW QUESTIONS

Q1: HOW DO YOU SECURE API KEYS IN AUTOMATION?


Store them in environment varia bles, encrypted config
files, or CI/CD secrets.

Q2: HOW DO YOU HANDLE E XPIRED TOKENS IN YOUR


TEST AUTOMATION??
Handled expired tokens throug h a combination of
negative test cases and token refresh lo gic:
Va lidation Test:
Simulate an expired token scenario by using a
manua lly mo dified or saved expired JWT.
Exp ected resp onse: 401 Unauthorized or 403
Forbidden.
This helps va lidate that the API correctly handles
inva lid sessions.
Auto-Refresh Strategy:
I mplemented a metho d that detects token expiry
(b ased on resp onse or expiry timestamp).
If expired, I ca ll the token refresh endp oint to get
a new access token.
The fresh token is then reused dynamica lly across
subsequent requests.
AUTHENTICATION IN API TESTING – FREQUENTLY ASKED
INTERVIEW QUESTIONS

Q3: WHAT ’S THE DIFFERENCE BETWEEN ACCESS AND


REFRESH TOKEN?

Access token is shor t-lived and used for requests


Refresh token is used to obtain new access tokens
without re-authentication

Q4: WHAT ARE COMMON AUTH-RELATED BUGS IN API


TESTING?

Expired tokens not handled


Token reused after lo gout
Incorrect scop es in OAuth
Session not inva lidated after lo gout

Q5: HOW DO YOU TEST NEGATIVE AUTHENTICATION


SCENARIOS?

Inva lid Credentia ls


Test: Send wrong username/p assword in b asic auth
given().auth().preemptive().b asic("wrong", "wrong")
.when().get("/dashb o ard")
.then().statusCo de(401);
Exp ected: 401 Unauthorized
AUTHENTICATION IN API TESTING – FREQUENTLY ASKED
INTERVIEW QUESTIONS

Missing or Expired Token

Test: Don’t send the token or use an expired one

given() // No token
.when().get("/secure-endp oint")
.then().statusCo de(401);

Inva lid Token Format

Test: Send corrupted/mo dified token

.header("Authorization", "Bearer a b c.def.inva lid")


Should return 401 or custom error message
Va lidates token signature & format checks

Wrong or Missing API Key

Test: Use wrong key or omit it entirely


.header("x-api-key", "wrong-key")
Exp ect 403 Forbidden or 401 Unauthorized
Verifies that only va lid API keys are accepted

You might also like