This chapter covers
- Identifying the difference between authentication and authorization.
- Adding operations for creating users.
- Adding an operation for getting a user’s token (authentication).
- Adding the Authorization header to POST /reviews operation (authorization).
We’re going to be looking at authentication and authorization, two close friends in APIs that are often a little misunderstood. Authentication is about proving you are, who you say you are—which could be through a username and password. While authorization is about being allowed access to special actions or resources that are normally require it, eg: getting user details or creating a new review.
APIs almost always include a form of authorization and authentication, so naturally describing them is important. In today’s world we have multiple standards dealing with authorization, each with different tradeoffs and strengths, and we should communicate to our consumers which of these standards we use.
Personally, one of the biggest hurdles to using an API, is getting authorization to work. I’ve often found myself wading through oodles of documentation, searching for how to get access to consume it! OpenAPI makes it easier, by being explicit in what Authorization is needed.
At the end of this chapter you’ll be able to describe simple security schemes for authentication/authorization and add them to operations in OpenAPI.
In our FarmStallAPI we’ll be adding