7 API authorization and authentication
This chapter covers
- Understanding the role of authentication and authorization in API security
- Following best practices for working with JSON Web Tokens
- Understanding Open Authorization and when to use each OAuth flow
- Hardening security with sender-constrained tokens
- Securing user identities with OpenID Connect
- Using role-based access controls to define sets of permissions
In August 2024, cybersecurity firm Bitdefender revealed that Solarman, one of the world’s largest photovoltaic monitoring and management platforms, was vulnerable to account takeover. By gaining access to other user accounts, threat actors could steal personal data and disrupt the supply of electricity [1, 2]. Solarman exposes APIs that allow manufacturers of photovoltaic monitoring devices to log their data. According to Bitdefender’s findings, Solarman’s API failed to validate access tokens correctly, allowing threat actors to forge tokens and impersonate other users.
The Solarman story brings up a recurrent theme in the API security space: authentication and authorization are hard. Authentication is the process of verifying user identity, and authorization is the process of validating access to a resource or operation. As you’ll learn in this chapter, there are different types of access controls, such as user-based and role-based. But before we can authorize user access, we need to know who the users are, which is where authentication comes into play.