Authorization grants or denies access to a system or application based on a user’s permissions. Each authorization type uses a unique process to exchange and validate credentials or tokens.
Supported Authorization Types
API Key
Basic
Digest
Oauth2
Custom
API Key authorization uses a secret key (the API key) to identify and authorize a client when making API requests.
Example 1: Sending API Key in the header with the key Authorization
"headers": {
"Authorization": "Bearer abc123securekey"
}
}
Example 2: Sending API key in the header with a different key name
"headers": {
"x-api-key": "Bearer abcdsecret123key"
}
}
Basic Authorization is an HTTP authentication method that sends a Base64-encoded string containing the username and password in the “Authorization” header.
Example:
"headers": {
"Authorization": "Basic MTIxOWEyYjczYmExYmlLWE5YjItMzg2NjkwYmFjMjZj"
}
}
Digest Authorization is an HTTP authentication method that applies hash and nonces to the username and password to transmit credentials securely.
Example:
"headers": {
"Authorization": "Digest username=\"alice\", realm=\"example.com\", nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", uri=\"/data\", response=\"6629fae49393a05397450978507c4ef1\", qop=auth, nc=00000001, cnonce=\"0a4f113b\""
}
OAuth 2.0 is an authorization framework that uses access tokens in headers and optional refresh tokens. It allows applications limited access to a user’s data without exposing their credentials.
Supported Grant Types in URAF 3.4.0
Client Credentials
Password Credentials
Example:
"headers": {
"Authorization": "Bearer ya29.a0AfH6SMCq_jJwEXAMPLE-TOKEN123456789"
}
If an API of a source requires an authentication method other than the supported methods, URAF supports it via lightweight applications or integrations that run along with URAF. After installing the application, you can select the vendor template in URAF to create a log source and enter the credentials. For example, Cybereason and DuoSecurity.