Authentication Using Bearer Tokens

Updated 1 week ago by Rahul Lahiri

When you send an API request to any service, you may need to send the credentials as part of the request to verify the authenticity of the caller. Bearer tokens is a commonly used authentication scheme for establishing the credentials of the user. A request contains a header field in the form of Authorization: Bearer <credentials>, where credentials are a token issued by an authentication server. The token can be obtained by sending a valid username/password to the authentication server.

Example of header with bearer token:

Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJNQVJZLlNN

In general, bearer tokens will be short-lived and will need to be renewed from the authentication server after the expiry of the token. Every time the token expires, the user must make an API call to the authentication server, and generate a new token.

When issuing requests to a service protected by bearer tokens from the API Studio, the user must use a valid token for every request.

Automating auth token propagation

Copying the token from the login response and adding it to the header for each request manually is a tedious process. Instead, you can configure API Studio to automate the process of extracting the token from the login request and injecting the token into subsequent API request headers.

You can configure the rules to inject the token for all requests or for selected requests. For the developer use cases, the simplest option is to set up global rules to inject the authorization token into all requests.

Steps to automate authentication

The configuration process is as follows:

  • Decide if you want to inject the authorization token for all API requests or selected requests.
  • Create a JSON file with the instructions for the following:
    • The application to which this set of rules should be applied,
    • How to extract the authorization token,
    • Where to inject the token.
  • Upload the configuration file to API Studio.

Example JSONs are provided later in this document.

To apply the automated token extraction and injection:

  • Run a login API request. API Studio will extract the authorization token using the instructions provided.
  • Run subsequent requests. API Studio will automatically inject the authorization token following the instructions provided above.
While API Studio can automate the process for extracting the authorization token and injecting it into the headers for the API requests, API Studio does not know when the token expires. The user must manually refresh the token when a token expires.

1. App selection

The first part of the configuration JSON file specifies the app to which the rules should be applied. Here is an example:

    "customerId": "CubeCorp",
"app": "MovieInfo",
"version": "DefaultMovieInfo"

The parameters included in this section are:

"customerId": "CubeCorp"

The name assigned to the customer. Please contact us to get your customerId. It will be available under Settings > API Token soon.

"app": "MovieInfo"

The app name you have assigned to the app. The name is shown in the top left in the Application box. In this example, the app name is MovieInfo.

"version": "DefaultMovieInfo"

Currently, the only supported value for the version parameter is Default<AppName>. The AppName should be the same as the name specified for the app parameter above. In this example, the app name is MovieInfo.

2. Token extraction

In the JSON, there are two arrays named extraction and injection. The extraction array defines the parameters needed to extract the auth token from the response of an API, and store the token in a named variable. Example:

    "extraction": [
{
"apiPath": "minfo/login",
"method": "POST",
"name": "login_token",
"value": "${TestSet.Response: /body/token}"
}
]

In the example above, the auth token will be extracted as follows:

"apiPath": "minfo/login"

API request to extract the token from

"method": "POST"

Method type: must be a POST method

"value": "${TestSet.Response: /body/token}"

Path to the token in the body of the response

"name": "login_token"

Name of the API Studio environment variable to store the extracted token in

3. Token injection

The injection array defines the parameters to inject the extracted auth token into the API request header. You can configure the rules to inject the authorization token for all API requests or for selected requests.

Inject into all API requests

Example JSON block to inject the token into all API requests. For the developer use cases, the simplest option is to set up a global rule to inject the authorization token into all requests.

    "injection": [
{
"jsonPath": "/hdrs/authorization/0",
"injectAllPaths": true,
"name": "login_token"
}
]

Inject into selected requests

Example JSON block to inject the token into selected API requests:

    "injection": [
{
"jsonPath": "/hdrs/authorization/0",
"injectAllPaths": false,
"apiPaths": [
"minfo/liststores",
"minfo/rentmovie"
],
"name": "login_token",
"method": "GET"
}
]

Token injection configuration parameters

"jsonPath": "/hdrs/authorization/0"

The JSON path where the token value will be injected. In this example, the value will be injected in the header using a path name authorization.

"injectAllPaths": true

If this parameter is set to true, then the token will be injected into every API request. If it is set to false, then the token will be injected only into the API requests specified the apiPaths parameter.

"apiPaths": ["minfo/categories", "minfo/rentmovie"]

Set of API paths where to inject the auth token if injectAllPaths is set to false. The API paths must be comma separated. This parameter is required only if injectAllPaths is set to false.

"name": "login_token"

Name of the environment variable (login_token) to be injected.

"method": "GET"

Method type where to inject the auth token if injectAllPaths is set to false. You can control which method types to inject the token into.

4. Upload configuration file

Upload the JSON file through the Settings page using the Context Propagation Rules tab.

  • Go to the Settings page using the gear icon on the left menu bar.
  • Select the Context Propagation Rules tab
  • Click Choose File and select the file that contains the rules you defined from the directory browser that opens up.
  • Click Upload to ingest the contents of the file selected.

5. Use authorization token

  • Once the configuration file is uploaded, the rules are effective immediately. Issue a login request from the API Studio. Once the request runs, the extraction rules will be automatically applied. If the login request is successful, the authorization token will be extracted and stored in the specified variable.
  • For all subsequent API requests, the authorization header will be automatically added to the header by API Studio, depending on the configuration of the injection parameters.

When the token expires, the login call must be made again to update the token stored in the variable.

You do not need to add the Authorization field to the header section for the API requests. API Studio will automatically add the Authorization field with the right parameters to the header section when it issues the API request.

JSON examples

Inject into all requests

Use the following JSON block to extract the bearer token from the login request, and inject the bearer token into all requests issued from API Studio.

{
"customerId": "CubeCorp",
"app": "MovieInfo",
"version": "DefaultMovieInfo",
"extraction": [
{
"apiPath": "minfo/login",
"method": "POST",
"name": "login_token",
"value": "${TestSet.Response: /body/token}"
}
],
"injection": [
{
"jsonPath": "/hdrs/authorization/0",
"injectAllPaths": true,
"name": "login_token",
}
]
}

Inject into selected requests

Example JSON block to extract the bearer token from the login request, and inject the token into selected API requests:

{
"version": "DefaultMovieInfo",
"customerId": "CubeCorp",
"app": "MovieInfo",
"extraction": [
{
"apiPath": "minfo/login",
"method": "POST",
"name": "login_token",
"value": "${TestSet.Response: /body/token}"
}
],
"injection": [
{
"apiPaths": [
"minfo/liststores",
"minfo/rentmovie"
],
"jsonPath": "/hdrs/authorization/0",
"injectAllPaths": false,
"name": "login_token",
"method": "GET"
},
{
"apiPaths": [
"minfo/liststores",
"minfo/rentmovie"
],
"jsonPath": "/hdrs/authorization/0",
"injectAllPaths": false,
"name": "login_token",
"method": "POST"
},
]
}


How did we do?