This chapter covers
- Using Open Authorization to allow access to our APIs
- Using OpenID Connect to verify the identity of our API users
- What kinds of authorization flows exist, and which flow is more suitable for each authorization scenario
- Understanding JSON Web Tokens (JWT) and using Python’s PyJWT library to produce and validate them
- Adding authentication and authorization middleware to our APIs
In 2018, a weakness in the API authentication system of the US postal system (https://usps.com) allowed hackers to obtain data from 60 million users, including their email addresses, phone numbers, and other personal details.1 API security attacks like this have become more and more common, with an estimated growth of over 300% in the number of attacks in 2021.2 API vulnerabilities don’t only risk exposing sensitive data from your users; they can also put you out of business!3 The good news is there are steps you can take to reduce the risk of an API breach. The first line of defense is a robust authentication and authorization system. In this chapter, you’ll learn to prevent unauthorized access to your APIs by using standard authentication and authorization protocols.