Drupal REST API Authentication
In this document, we will take you through the steps to configure and use each of the authentication methods that we provide in the miniOrange REST API Authentication module. This module support both the REST as well as the JSON API modules.
You can refer to our detailed setup guide for all the Authentication Methods via the following link-API Authentication Guide.
If you have any other custom APIs that you would like our module to support or in case you need any sort of assistance, please feel free to reach out to us at drupalsupport@xecurify.com Please click here to see the complete feature list.
1. Basic Authentication
- Basic authentication is a simple authentication mechanism where the client can use their credentials to protect the Drupal APIs. In order to use any API with this method of authentication, you need to send a request with your base64 encoded username and password in the Authorization header.
- To select this method click on the Basic Authentication from the module as shown below:
- To get node information in Drupal, you have to make a GET request along with the Drupal username and password of the user. The value of the username and password must be in base64encoded format. You can refer to the below format to make a call.
Request: GET <your_drupal_base_url>/node/{node}?_format=json
Header:
Authorization: Basic base64encoded <username:api_key>
Accept: application/json
Content-Type: application/json
Sample curl Request Format-
--location --request GET '<your_drupal_base_url>/node/1?_format=json' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic base64encoded <username:API key’> \
2. API Key Authentication
- API Key Authentication is one of the simplest methods to protect Drupal REST APIs. Once you have generated API Keys for all your users, you can use those keys to secure access to your Drupal REST APIs.
- In order to set up API Key as an API Authentication method, please navigate to the API Authentication tab of the REST API Authentication Module (/admin/config/people/rest_api_authentication/auth_settings).
- Select the Enable Authentication checkbox and click on the Save Above Settings button.
- For enabling the API Key-Based Authentication, select the API Key radio button.
- In the same screen, you can generate the API key for a particular user or you can generate the API key for all the users at once.
- You’d have to create a user attribute for the field API key. You can refer this link to create a Field API Key.
- To elaborate more, let's take an example of creating a user in Drupal
- To create a user in Drupal, a POST request has to be made with the user's username and an API key provided by the miniOrange REST API Authentication Module. The username and API key should be encoded in base64. Use the following format as a reference to make the call:
Request: POST <your_drupal_base_url>/entity/user?_format=json
Header:
Authorization: Basic base64encoded <username:api_key>
Accept: application/json
Content-Type: application/json
Body:
{
"name": [
{"value": "username"}
],
"mail": [
{"value": "email"}
],
"pass": [
{"value": "password"}
],
"status":[
{"value": "1"}
]
}
Sample curl Request Format-
--location --request POST '<your_drupal_base_url>/entity/user?_format=json' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic base64encoded’ \
--data-raw '
{
"name": [
{"value": "Username"}
],
"mail": [
{"value": "email"}
],
"pass":[
{"value": "Password"}
],
"status":[
{"value": "1"
}
]
3. JWT Authentication
- JSON Web Token (JWT) is a secure way to represent a user's identity during a two-party interaction. Initially, the credentials of your Drupal site are used to first get a JWT token. After verifying the username and password, the Drupal REST API Authentication module creates a signed JWT token, which is sent back to the client application for subsequent API requests.
- This token is used to perform the operations in Drupal till it expires. The Drupal REST API Authentication module will grant access only when it receives a valid JWT from the application.
- In order to set up JWT as an API Authentication method, please navigate to the API Authentication tab of the REST API Authentication Module (/admin/config/people/rest_api_authentication/auth_settings).
- Select the Enable Authentication checkbox and click on the Save Above Settings button.
- Below the Save Above Settings button select the JWT radio button. Provide the attribute name in which your username will be received in the "Username Attribute" text field.
- Finally, click on the Save JWT Configuration button.
- To use an externally created JWT token for authentication, you can configure the following options:
- Enter the attribute name in which your username will be received in the "Username Attribute" text field.
- If you want to use an external JWT token, you can also specify the JWKS URL to validate that token in Drupal.
- Let’s consider the following example - we need to initiate an API request to obtain a JWT. Subsequently, we will leverage the token to authenticate the Drupal API to create a basic page.
- To acquire the JWT, we must submit a POST query that contains the user’s Drupal credentials. The Username and Password must be sent in a base64-encoded format. For your convenience, please refer to the format of the request below.
Request: POST <your_drupal_base_url>/rest_api/id_token
Header:
Authorization: Basic base64encoded <username:password;>
Accept: application/json
Sample curl Request Format-
--location --request POST "<your_drupal_base_url>/rest_api/id_token' \"
--header 'Accept: application/json'\
--header 'Content-Type: application/json' \
--header 'Authorization: Basic base64encoded’ \'
4. OAuth 2.0 Authentication
- To authenticate access to Drupal site APIs through the REST API, the OAuth 2.0 method employs the OAuth 2.0 protocol flow. This involves obtaining a security access token, which is then used to authenticate access to your Drupal site. The OAuth Authentication Method provides an access token that is highly encrypted and secure, ensuring complete security for your Drupal APIs. It is regarded as one of the most secure methods for protecting your Drupal REST or JSONAPI API endpoints against unauthorized access.
- Navigate to the API Authentication tab of the REST API Authentication Module (/admin/config/people/rest_api_authentication/auth_settings)
- Select the Enable Authentication checkbox and click on the Save Above Settings button.
- Below the Save Above Settings button select the OAuth/Access Token radio button.
- Now click on the Generate a new Client ID & Secret button.
- The miniOrange API Authentication module supports two grant types that can be utilized to get an access token:
- Password Grant: In this grant type, you can obtain the access token by sending a POST request containing the user’s Drupal Username and Password along with the Client ID issued by the REST API Authentication module :
Request: POST <drupal_base_url>/rest_api/access_token
Body:
grant_type = password
username = drupal_username
password = drupal_password
client_id = client_id
Sample curl Request Format-
--location --request POST '<your_drupal_base_url>/rest_api/access_token' \
--header 'Accept: application/json'\
--header 'Content-Type: pplication/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id= ' \
--data-urlencode 'username='\
--data-urlencode 'password='
Request: POST <drupal_base_url>/rest_api/access_token
Body:
grant_type = client_credentials
client_id = client_id
client_secret = client_secret
Username = drupal_username
Sample curl Request Format-
--location --request POST '<your_drupal_base_url>/rest_api/access_token' \
--header 'Accept: application/json'\
--header 'Content-Type: pplication/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id= <Client_ID>'\
--data-urlencode 'username=<drupal_username>' \
--data-urlencode 'client_secret=<Client_secret>'
- For make an API call to get an access token. We will then use this to authenticate Drupal API for getting a user’s information refer this link.
5. Third Party Provider Authentication
- To implement this method, you'll need to obtain tokens from third-party providers such as Google, Azure AD, etc. These tokens allow you to access Drupal's REST APIs securely.
- To use External Identity Provider Authentication, you'll need to configure the module by specifying the User Info Endpoint provided by your Identity Provider, as well as the username attribute associated with your Identity Provider. Once configured, you can authenticate all Drupal API Requests using the token provided by your provider.
- Navigate to the API Authentication tab of the REST API Authentication Module (/admin/config/people/rest_api_authentication/auth_settings)
- Tick the Enable Authentication checkbox and hit Save Above Settings button.
- Beneath the Save Above Settings button, select the External Identity Provider radio button.
- In the User Info Endpoint text box, input the user info endpoint for your Identity Provider. This will allow the module to retrieve the user's information using the provided token.
- In the Username Attribute field, input the attribute key/name of your Identity Provider that the external provider is utilizing to send the username.
- To create a user in Drupal, a POST request has to be made along with the Token received from the identity provider.
Request: POST <your_drupal_base_url>/entity/user?_format=json
Header:
Token: <Token_receievd_from_external_identity_provider>
Accept: application/jsonContent-Type: application/json
Body:
{
"name": [
{"value": "username"}
],
"mail": [
{"value": "email"}
],
"pass": [
{"value": "password"}
],
"status": [
{"value": "1"}
]
}
Sample curl Request Format-
--location --request POST '<your_drupal_base_url>/entity/user?_format=json' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Token: ' \
--data-raw '
{
"name": [
{"value": "Username"}
],
"mail": [
{"value": "email"}
],
"pass": [
{"value": "Password"}
],
"status": [
{"value": "1"}
]
}
24*7 Active Support
If you face any issues or if you have any questions, please feel free to reach out to us at drupalsupport@xecurify.com. In case you want some additional features to be included in the module, please get in touch with us, and we can get that custom-made for you. Also, If you want, we can also schedule an online meeting to help you configure the Drupal REST API Authentication module.
Additional Resources
Our Other modules
×
![ADFS_sso]()
Hello there!
Need Help? We are right here!
