11 APIs authorization and authentication
This chapter covers
- Using Open Authorization to allow access to our APIs
- Using OpenID Connect to verify the identity of our API users
- Which kinds of authorization flows exist, and which flow is more suitable for each authorization scenario
- Understanding JSON Web Tokens (JWT) and using Python’s PyJWT library to produce and validate them
- Adding authentication and authorization to our APIs
- Integrating with an identity-as-a-service provider
In 2018, a weakness in the API authentication system of the US postal system (https://usps.com) allowed hackers to obtain data from 60 million users, including their email addresses, phone numbers, and other personal details.[1] API security attacks like this have become more and more common, with an estimated growth of over 300 percent in the number of attacks perfomed in 2021.[2] API vulnerabilities don’t only risk exposing sensitive data from your users – they can also put you out of business![3] The good news is, there’re steps you can take to reduce the risk of API breach. The first line of defense is a robust authentication and authorization system. In this chapter, you’ll learn to prevent unauhotirzed access to your APIs by adding a robust authentication and authoriztion layer to your APIs.