7 Adding authentication and authorization

We’re going to look at authentication and authorization in this chapter (see figure 7.1), two close friends in APIs that are often a little misunderstood. Authentication is about proving you are who you say you are, which could be done with a username and password. Authorization is about being allowed access to particular actions or resources, such as getting user details or creating a new review.

APIs almost always include a form of authorization and authentication, so describing them is important. In today’s world we have multiple standards for dealing with authorization, each with different trade-offs and strengths, so we need to inform our consumers which of these standards we use.

We find that one of the biggest hurdles to using an API is getting authorization to work. We’ve often found ourselves wading through oodles of documentation, searching for how to get access to consume the API! OpenAPI makes it easier by being explicit about what authorization is needed.

By the end of this chapter, you’ll be able to describe simple security schemes for authentication and authorization and add them to operations in OpenAPI.

7.1 The problem

7.2 Getting set up for authentication

7.2.1 Challenge: Describe POST /users

7.2.2 Challenge: Describe POST /tokens

7.2.3 Solution: Definition changes

7.2.4 Verifying we can create users and get a token

7.3 Adding the Authorization header

7.3.1 How OpenAPI handles authorization

7.3.2 Types of authorization (securities) supported in OpenAPI 3.0.x

7.3.3 Adding the Authorization header security scheme