What are authentication and authorization?

To fulfill our security goals, the API needs to be able to differentiate users in our system and potentially fend off nefarious users. Let’s take the example of a banking API. It would be detrimental if we couldn't verify the identity of the individual users utilizing our API, and because of the inability to do so, an imposter gains access to another user’s account and the assets within. Also, not all service users are alike—some might be individual users, while others might belong to a large organization. The authorization mechanism manages what each user is permitted to do based on their user category, such as having the ability to call different functions or make specific number of API calls per day. Therefore, to implement the methods above, authentication and authorization become essential to implementing the security goals we defined earlier in this chapter.

Authentication refers to the procedure through which our API verifies who the user is. Typically, applications fulfill this by implementing a login system utilizing usernames and passwords for verification. There are other techniques for authenticating users in the API paradigm that we’ll explore in this lesson.

Authorization is controlling what the user has access to. This is when applications verify whether the user is even allowed to call the request they are making. For example, we may be authorized to view a Google Doc but not edit it.

Press + to interact

Let's begin by defining some common authentication protocols prevalent in the API landscape, after which we'll expand on the frameworks that combine and utilize these protocols to implement both authentication and authorization.

Authentication and authorization mechanisms

There are several mechanisms we can explore in this section, so let's take a look at those prevalent in today's industry. We'll begin with one that's largely regarded as the simplest, HTTP basic authentication.

HTTP basic authentication

HTTP basic authentication is a rudimentary scheme that verifies a client through username and password authentication. It encodes the user's username and password in Base64 and embeds it into its Authorization header. The encoding follows a set template. For instance, a client with the username “Bob” and password “thefarmer” will be embedded in the header as follows:

Introduction to the Course

Network Intricacies

Different Ways of Client-Server Communication

Common Data Formats for Web APIs

Comparison of API Architectural Styles

API Design Security

Important Concepts in API Design

Back-of-the-Envelope Calculations for Latency

What Are the Foundational API Designs?

Design a Search Service

Design a File Service

Design a Comment Service

Design a Pub-Sub Service

Concluding Foundational Design Problems

YouTube Streaming API Design

Facebook Messenger API Design

Google Maps API Design

Learn to Design a Chess API with AI Mentor

Zoom API Design

Leetcode API Design

Payment Gateway API Design—Stripe

Twitter API Design

Uber API Design

CamelCamelCamel API Design

Gaming API Design

API Failures and Mitigations

Conclusion

Authentication and Authorization

What are authentication and authorization?

Authentication and authorization mechanisms

HTTP basic authentication