7 API authorization and authentication

 

This chapter covers

  • The role of authentication and authorization in API security
  • Best practices for working with JSON Web Tokens
  • Understanding Open Authorization (OAuth) and when to use each OAuth flow
  • Hardening security with sender-constrained tokens
  • Securing user identities with OpenID Connect
  • Leveraging role-based access controls to define sets of permissions

In August 2024, cybersecurity firm Bitdefender revealed that Solarman, one of the world’s largest photovoltaic monitoring and management platforms, was vulnerable to account takeover. By gaining access to other user accounts, threat actors could steal personal data and disrupt the supply of electricity (https://www.bitdefender.co.uk/blog/labs/60-hurts-per-second-how-we-got-access-to-enough-solar-power-to-run-the-united-states/, see also the more detailed technical report: https://blogapp.bitdefender.com/labs/content/files/2024/08/Bitdefender-PReport-solarman-creat7907.pdf). Solarman exposes APIs that allow manufacturers of photovoltaic monitoring devices to log their data. According to Bitdefender’s findings, Solarman’s API failed to validate access tokens correctly, allowing threat actors to forge tokens.

7.1 Authentication vs authorization

7.2 Understanding JSON Web Tokens

7.2.1 Structure and representation of JSON Web Tokens

7.3 Understanding Open Authorization

7.4 Understanding OAuth flows

7.4.1 Authorization code flow

7.4.2 Protecting authorization requests with proof of key exchange

7.4.3 Client credentials flow

7.4.4 Device authorization flow

7.4.5 Refresh token flow

7.5 Sender-constrained tokens

7.5.1 Mutual TLS for certificate-bound tokens

7.5.2 Demonstrating proof of possession

7.6 Understanding OpenID Connect

7.7 Understanding role-based access controls

7.8 Summary