7 API authorization and authentication
This chapter covers
- The role of authentication and authorization in API security
- Best practices for working with JSON Web Tokens
- Understanding Open Authorization (OAuth) and when to use each OAuth flow
- Hardening security with sender-constrained tokens
- Securing user identities with OpenID Connect
- Leveraging role-based access controls to define sets of permissions
In August 2024, cybersecurity firm Bitdefender revealed that Solarman, one of the world’s largest photovoltaic monitoring and management platforms, was vulnerable to account takeover. By gaining access to other user accounts, threat actors could steal personal data and disrupt the supply of electricity (https://www.bitdefender.co.uk/blog/labs/60-hurts-per-second-how-we-got-access-to-enough-solar-power-to-run-the-united-states/, see also the more detailed technical report: https://blogapp.bitdefender.com/labs/content/files/2024/08/Bitdefender-PReport-solarman-creat7907.pdf). Solarman exposes APIs that allow manufacturers of photovoltaic monitoring devices to log their data. According to Bitdefender’s findings, Solarman’s API failed to validate access tokens correctly, allowing threat actors to forge tokens.