Now that you know how to identify the users of your APIs, you need to decide what they should do. In this part, you’ll take a deep dive into authorization techniques for making those crucial access control decisions.
Chapter 7 starts by taking a look at delegated authorization with OAuth2. In this chapter, you’ll learn the difference between discretionary and mandatory access control and how to protect APIs with OAuth2 scopes.
Chapter 8 looks at approaches to access control based on the identity of the user accessing an API. The techniques in this chapter provide more flexible alternatives to the access control lists developed in chapter 3. Role-based access control groups permissions into logical roles to simplify access management, while attribute-based access control uses powerful rule-based policy engines to enforce complex policies.
Chapter 9 discusses a completely different approach to access control, in which the identity of the user plays no part in what they can access. Capability-based access control is based on individual keys with fine-grained permissions. In this chapter, you’ll see how a capability-based model fits with RESTful API design principles and examine the trade-offs compared to other authorization approaches. You’ll also learn about macaroons, an exciting new token format that allows broadly-scoped access tokens to be converted on-the-fly into more restricted capabilities with some unique abilities.