We support form, OAuth2, and server authentication. These types of form authentication are supported: HTML form-based authentication (standard login), custom form fields and Selenium script uploaded from your file system. These OAuth2 authentication types are supported: Authorization Code, Implicit, Client Credentials, and Resource Owner Password Credentials. These types of server authentication are supported: Basic, Digest and NTLM.
You can either combine form and server authentication or OAuth2 and server authentication for an authenticated scan. Note that while updating an authentication record, set the form record type as NONE if you want to set an OAuth2 record instead of a form record. Set OAuth2 record grant type to NONE if you want to set a form record instead of an OAuth2 record.
Need help with selecting an authentication type? The first step is to see what type of authentication is needed for your web application.
If you want to authenticate to a form on the web application you'll need to supply username and password credentials. Form authentication typically passes the username and password within a POST to the application framework. If the application framework is on the same domain, use the Standard Login option. If the application framework handling the authentication is on another domain, you must provide crawl access to this domain via the "Explicit URLs to Crawl" setting within your web application settings.
For more complex form authentication use the Selenium Script option. Record the authentication process in a Selenium script and upload the script to your authentication record. At scan time we'll play back the script to authenticate to the form.
If you want to authenticate Swagger/Open API file using OAuth2, you will need to select one of the four OAuth2 grant types. Select a grant type and enter the details to create an OAuth2 authentication record. We will use this record to authenticate your Swagger/Open API file at the time of scanning.
Selecting "Authorization Code" or "Implicit" grant types requires you to upload a valid Selenium script. Record the authentication process in a Selenium script and upload the script to your authentication record. At scan time we'll play back the script to authenticate to the API server.
For server authentication you'll need to provide server authentication credentials within a Server Record. Server authentication is handled within the HTTP headers. Selenium scripts cannot be configured to do server authentication.