This chapter covers:
- Identifying the difference between authentication and authorization.
- Adding operations for creating users.
- Adding an operation for getting a user’s token (authentication).
- Adding the Authorization header to POST /reviews operation (authorization).
We’re going to be looking at authentication and authorization, two close friends in APIs that are often a little misunderstood. Authentication is about proving you are, who you say, you are — which could be through a username and password. While authorization is about being allowed to access to special resources or actions that are normally private. Like getting user details or creating a new review.
APIs almost always include a form of authorization (and of course a type of authentication), so naturally describing them is important. In today’s world we have multiple standards dealing with authorization, each with different tradeoffs and strengths, and we should communicate to our consumers which of these standards we use.
Personally, one of the biggest hurdles to using an API, is getting authorization to work. I’ve found myself wading through documentation just to be able to use the API!
At the end of this chapter you’ll be able to describe simple security schemes for authentication/authorization and add them to operations in OpenAPI.
In our FarmStallAPI we’ll be adding - POST /users - POST /tokens - The Authorization header to POST /reviews