8 Implementing API authentication and authorization
This chapter covers
- Documenting API security with OpenAPI
- Issuing and validating JSON Web Tokens
- Integrating with an OpenID Connect provider to add authentication to our APIs
- Validating access tokens issued by an OpenID Connect provider
- Creating middleware to authorize access to our APIs
- Implementing role-based access controls
In February 2023, ethical hacker Eaton Zveare discovered major authentication and authorization vulnerabilities in Toyota’s Global Supplier Preparation Information Management System, an application Toyota employees used to manage their supply chain [1]. Zvere was able to do several things: obtain access tokens without providing a password, impersonate Toyota employees, search the employee directory, assume administrator roles, and access highly sensitive data about Toyota’s supply chain. Fortunately, Zveare is an ethical hacker, and he reported the vulnerabilities instead of exploiting them. In the hands of threat actors, however, vulnerabilities like this are the perfect recipe for a major data breach and can put our whole business at risk.