Hikmadh Commerce| Ecommerce Development Consulting | Magento Development and Consulting Service

Optimizing API Authentication in Magento: Best Practices and Strategies

API Authentication in Magento

Introduction:

Welcome to our blog on authentication in Magento, the powerful e-commerce platform that empowers countless online businesses worldwide. In today’s digital landscape, where the risk of cyber threats looms large, authentication takes center stage as a crucial aspect of securing customer information, maintaining trust, and preventing unauthorized access. In this blog, we will explore the significance of authentication within the Magento ecosystem, discuss the various authentication methods available, and provide insights into best practices to enhance security. So, whether you’re a Magento store owner, developer, or simply interested in understanding the fundamentals of authentication, read on to discover how authentication can safeguard your online business and protect your customers’ sensitive data.

Authentication

Magento allows developers to define web API resources and their permissions in the webapi.xml configuration file.

Before you can make web API calls, you must authenticate your identity and have necessary permissions (authorization) to access the API resource. Authentication allows Magento to identify the caller’s user type. A user’s (administrator, integration, customer, or guest) access rights determine an API call’s resource accessibility.

Accessible resources

The list of resources that you can access depends on your user type. All customers have the same permissions, and as a result the same resources accessible. The preceding statement is true for guest users as well. Each administrator or integration user can have a unique set of permissions which is configured in the Admin. Permissions required to access particular resource are configured in the webapi.xml file.

USER TYPE:

  • Administrator or Integration

 

  • Customer

 

  • Guest user

 

ACCESSIBLE RESOURCES (DEFINED IN WEBAPI.XML)

  • Administrator or Integration Resources for which administrators or integrators are authorized. For example, if administrators are authorized for the Magento_Customer::group resource, they can make a GET /V1/customerGroups/:id call.

 

  • Customer Resources with anonymous or self permission

 

  • Guest user Resources with anonymous permission

 

Relationship between acl.xml and webapi.xml

The acl.xml file defines the access control list (ACL) for a given module. It defines the available set of permissions to access resources.

 

All acl.xml files across all Magento modules are consolidated to build an ACL tree, which is used to select allowed Admin role resources or third-party integration access (System > Extension > Integration > Add New Integration > Available APIs).

 

Sample customer acl.xml

For example, account management, customer configuration, and customer group resource permissions are defined in the Customer module’s acl.xml.

 

When a developer creates the Web API configuration file (webapi.xml), the permissions defined in acl.xml are referenced to create access rights for each API resource.

Sample (truncated) customer webapi.xml

For example, account management, customer configuration, and customer group resource permissions are defined in the Customer module’s acl.xml.

When a developer creates the Web API configuration file (webapi.xml), the permissions defined in acl.xml are referenced to create access rights for each API resource.

Sample (truncated) customer webapi.xml

				
					<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Webapi:etc/webapi.xsd">                                                                       
        <!-- Customer Group -->
        <route url="/V1/customerGroups/:id" method="GET">
            <service class="Magento\Customer\Api\GroupRepositoryInterface" method="getById"/>
            <resources>
                <resource ref="Magento_Customer::group"/>
            </resources>
        </route>
    ............
    .......
    .....
        <!-- Customer Account -->
        <route url="/V1/customers/:customerId" method="GET">
            <service class="Magento\Customer\Api\CustomerRepositoryInterface" method="getById"/>
            <resources>
                <resource ref="Magento_Customer::customer"/>
            </resources>
        </route>
        <route url="/V1/customers" method="POST">
            <service class="Magento\Customer\Api\AccountManagementInterface" method="createAccount"/>
            <resources>
                <resource ref="anonymous"/>
            </resources>
        </route>
        <route url="/V1/customers/:customerId" method="PUT">
            <service class="Magento\Customer\Api\CustomerRepositoryInterface" method="save"/>
            <resources>
                <resource ref="Magento_Customer::manage"/>
            </resources>
        </route>
        <route url="/V1/customers/me" method="PUT">
            <service class="Magento\Customer\Api\CustomerRepositoryInterface" method="save"/>
            <resources>
                <resource ref="self"/>
            </resources>
            <data>
                <parameter name="customer.id" force="true">%customer_id%
            </data>
        </route>
    ..........
    .....
    ...

For example, in the preceding webapi.xml for the customerGroups resource, only a user with Magento_Customer::group authorization can GET /V1/customerGroups/:id. On the other hand, you can create a customer using POST /V1/customers anonymously (or by a guest)

Authorization is granted to either an administrator (or an integration) defined in the Admin with the customer group selected as one of the resources in the ACL tree.

Web API clients and authentication methods

You must use a client, such as a mobile application or an external batch job, to access Magento services using web APIs.

Each type of client has a preferred authentication method. To authenticate, use the authentication method for your preferred client:

Mobile application

Registered users use token-based authentication to make web API calls using a mobile application. The token acts like an electronic key that provides access to the API(s).


  • As a registered Magento user, you request a token from the Magento token service at the endpoint that is defined for your user type.

  • The token service returns a unique authentication token in exchange for a username and password for a Magento account.

  • To prove your identity, specify this token in the Authorization request header on web API calls.

    • Third-party application

    Third-party applications use OAuth-based authentication to access the web APIs.


  • The third-party Integration registers with Magento.

  • Merchants authorize extensions and applications to access or update store data.

    • JavaScript widget on the Magento storefront or Admin

    Registered users use session-based authentication to log in to the Magento storefront or Admin.


    A session is identified by a cookie and time out after a period of inactivity. Additionally, you can have a session as a guest user without logging in.


  • As a customer, you log in to the Magento storefront with your customer credentials. As an administrator, you log in to the Admin with your administrator credentials.

  • The Magento web API framework identifies you and controls access to the requested resource.

    • The Magento web API framework identifies you and controls access to the requested resource.

    Token based (Bearer Authentication)

    This method is a good choice for authenticating customers and Admin users in third-party applications that need to make authorized API calls to the Magento store.

  • Customer Token—Use this token in applications to authorize specific customer and query data related to that customer (for example, customer details, cart, and orders).

  • Admin Token—Use this token in applications to authorize an Admin user and access Admin-related APIs.

    • Request a token and then (include it in future requests)(/guides/v2.3/get-started/authentication/gs-authentication-token.html#web-api-access).

    Integration (Bearer Authentication)

    Magento generates a consumer key, consumer secret, access token, and access token secret when you create an active integration (self activated).

      curl -X GET "http://magento2ce74.loc:8080/index.php/rest/V1/customers/1" -H "Authorization: Bearer 9xvitupdkju0cabq2i3dxyg6bblqmg5h"
    Integration (Oauth)

    This method is a good choice for integrating with a third-party system that supports OAuth 1.0a.

    After activating an integration (self activated), you can use the generated consumer key, consumer secret, access token, and access token secret to provide third-party systems access to Magento Store resources. You do not need to make calls to the /oauth/token/request or /oauth/token/access endpoints to exchange token.

    Conclusion:

    In conclusion, authentication is a vital component of the Magento platform, ensuring the security and trustworthiness of online transactions and interactions. With the ever-growing threat landscape, it is imperative for Magento store owners and developers to implement robust authentication mechanisms to protect customer data, prevent unauthorized access, and maintain the integrity of their online businesses. By leveraging the authentication methods discussed in this blog, such as two-factor authentication, single sign-on, and integration with trusted identity providers, merchants can enhance security while providing a seamless and user-friendly experience for their customers. As technology continues to evolve, it is essential to stay updated with the latest authentication practices and adapt accordingly. Remember, authentication is not just a security measure; it is a critical pillar for building customer trust and loyalty in the digital realm. So, invest in strong authentication measures, prioritize security, and ensure a safe shopping experience for your customers in your Magento store.