8 Implementing API authentication and authorization

 

This chapter covers

  • Documenting API security with OpenAPI
  • Issuing and validating JSON Web Tokens
  • Integrating with an OpenID Connect provider to add login and authorization to our APIs
  • Validating access tokens issued by an OpenID provider
  • Creating a middleware to authorize access to our APIs
  • Implementing role-based access controls

In February 2023, ethical hacker Eaton Zveare discovered major authentication and authorization vulnerabilities in Toyota’s Global Supplier Preparation Information Management System (GSPIMS), an application used by Toyota employees to manage their supply chain (https://eaton-works.com/2023/02/06/toyota-gspims-hack/). Among other things, Zvere was able to obtain access tokens without having to provide a password, impersonate Toyota employees, search the employee directory, assume administrator roles, and access highly sensitive data about Toyota’s supply chain. Thankfully, Zveare is an ethical hacker and he reported the vulnerabilities instead of exploiting them. However, in the hands of threat actors, vulnerabilities like this are the perfect recipe for a major data breach and put our whole business at stake.

8.1 Documenting authenticated endpoints with OpenAPI

8.2 Issuing JSON Web Tokens

8.3 Validating JSON Web Tokens

8.4 Integrating with an OpenID Connect provider

8.4.1 Log in users and issue access tokens with an OpenID Connect provider

8.4.2 Validating access tokens issued by an OpenID Connect provider

8.5 Adding an authorization middleware

8.6 Implementing role-based access controls

8.7 Summary