1. Field
The following description relates to a method of user authentication using an open application programing interface (API) provided over the Internet, and more particularly, to API authentication utilizing two tokens in an effort to prevent problem with lost tokens, which occurs in the existing API token authentication.
2. Description of Related Art
As focus on the information and communications technology (ICT) ecosystem has been reorganized based on platforms, an open application programing interface (API), which is one of the core functions of a platform, is becoming the most important asset for ICT businesses. In addition, with the growing popularity of web services, a REST API—an architectural style in API design known as ‘representational state transfer (REST)’—is increasingly being employed.
In many cases, a REST API discloses resources related to a specific user. For instance, a processing method that contains personal information or is only intended to be executed by a limited user may be exposed to the public. Hence, in order to protect resources of the REST API, it is essential that authentication of a user or system that sends the API request be required.
Examples of web-based open API authentication methods include API key authentication, API token authentication, and a transport layer security (TLS) authentication.
The API key authentication is the most basic method, but rather than actually being an authentication method, it is a method for identifying programs that use an open API (e.g., mobile apps). Thus, a program developer receives a UUID or an API key in a unique text string from an API providing unit, and designs a program to include the received API key in an API message each time an API request is sent. Accordingly, the API providing unit is allowed to identify programs that send the API, and manage API usage information of each program. However, when different users use the same program, the same open API key value is shared among the users, thus putting the entire API at risk of exposure in a single instance.
Secondly, the API token authentication is an authentication method in which an API providing unit authenticates an API user based on the user's ID and password, and to whom a token with a validity period is issued once authenticated. Each time the API user sends an API request, an API message is sent, in which the received API token may be found. By using a temporary token, the API token method carries out user authentication without exposing the user ID and password, thus protecting user information and making the method advantageous. However, like other authentication methods, API token authentication does not encrypt API requests, and thus serious problems may arise such as a token being intercepted or used for malicious purposes.
Lastly, a method that can fundamentally resolve the aforesaid problems is encryption of an API request itself, for which, based on a certificate through two-way TLS, an API user is authenticated, all API messages are encrypted, and the messages are transmitted. This authentication method is the most advanced form of authentication, but increases the system load and an implementation method thereof;
hence it is not used for general services.
For cloud computing operators or network function virtualization (NFV) service operators, APIs that are related to actual allocation of virtual resources must be vigilantly protected, because for them, token theft in the API token-based authentication method may directly lead to economic losses. Nevertheless, it is realistically difficult to force a certificate-based API authentication method forth all users.