Authentication and Authorization in APIs

Transcript

1. Authentication & Authorization APIs Consuming APIs like a pro

2. Clifford Ouma Twitter: @clifford_ouma LinkedIn: Clifford Ouma Who I am

   Postman Student Leader Moi University

3. go.postman.co/build Understanding more about you

4. Mission You've been hired by a professional music blogger to

   create a workflow that helps them discover new music. You'll use the Spotify Web API to let the blogger search for songs they like and find similar music!

5. What you will learn go.postman.co/build Making API requests with Auth

   Calling a real-world REST API Chaining multiple API calls to build a workflow Visualizing response data

6. What is a workflow? And why do we need it?

7. Introducing: Workflows Authentication and Authorization Workflows are a chain of

   requests that execute in a particular order.

8. Introducing: Workflows Authentication and Authorization Workflows are a chain of

   requests that execute in a particular order. Requests are dependent on one another

9. Introducing: Workflows Authentication and Authorization Workflows are a chain of

   requests that execute in a particular order. Requests are dependent on one another Can be executed in different sequences

10. What is Auth? And why do APIs use it?

11. Introducing: Auth Authentication and Authorization Authentication = verifying identity

12. Introducing: Auth Authentication and Authorization Authentication = verifying identity Authorization

    = granting permissions

13. Introducing: Auth Authentication and Authorization Authentication = verifying identity Authorization

    = granting permissions Both are the first line of defense for the API

14. Authentication vs Authorization Authentication identifies that you are who you

    say you are. E.g Twitter verification

15. Authentication vs Authorization Authentication identifies that you are who you

    say you are. E.g Twitter verification Authorization verifies what permissions you have. E.g Restricted areas

16. Types of Auth in APIs A brief history

17. Basic Auth Simplest form of auth Uses email and password

    to verify users You have to trust the API hashes your password Requires using HTTPS connection for security

18. API Keys Your invitation to use the API API keys

    are alphanumeric strings that provide basic access to the API’s services and data. Provided by API upon signup Allow developers to impose rate limits and revoke access in a ToS violation. a4db08b7-5729-4ba9-8c08-f2df493465a1

19. OAuth: Where the Magic Happens

20. OAuth(Open Authorization) OAuth gets access to protected data Sophisticated and

    uses tokens and ID to authorize. But access is scoped There are 2 versions: OAuth1 OAuth2.0

21. OAuth: A valet key

22. Key has limited access to the car You give valet

    the key Takeaways from the valet scenario

23. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request “Can I view your Google contacts?” 2. Authorization Grant Code “OK!” Authorization server Resource server Authorization code grant type

24. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request 2. Authorization Grant Code 3. Authorization Grant Code Authorization server Resource server “Please give me an access token” 4. Access Token “Here you go” Authorization code grant type

25. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request 2. Authorization Grant Code 3. Authorization Grant Code Authorization server Resource server 4. Access Token 4. Protected Resource 5. Access Token “Please give me the user’s contacts” “Here you go” Authorization code grant type

26. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret

27. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public

28. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps)

29. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps) Client Credentials Server-to- server For application-to-application communications when a user is not present in the workflow and the client must authenticate itself

30. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps) Client Credentials Server-to- server For application-to-application communications when a user is not present in the workflow and the client must authenticate itself Implicit Legacy Now prefer use of Authorization Code with PKCE for frontend-only apps.

31. Do the OAuth Dance (in Postman) Enter grant type and

    credentials Get access token Postman simplifies this process 1. 2.

32. What does this have to do with workflows? Almost every

    API you come in contact with will have some form of authentication and/or authorization. This information is imperative to creating today’s workflow (and any other workflows or applications you create!)

33. Building our Workflow The Spotify Recommendation Flow

34. What we’re gonna do Spotify Song Recommendation Workflow The Spotify

    API OAuth 2 Postman You've been hired by a busy music blogger to create a workflow that helps them discover new music. You'll use the Spotify Web API to let the blogger search for songs they like and find similar music! In this exercise we will be using:

35. Workflow Get access token (OAuth) Get track id Get track

    recommendations

36. Your turn! Fork this collection Follow the instructions in “your

    turn!” The blogger wants more accurate song recommendations based on artists they like! Build a workflow that allows the blogger to enter three artists to generate 5 song recommendations Getting started 1. 2.

37. Going further Create a playlist of an authenticated user’s most-played

    songs Create a playlist of songs with no words (for studying!) Finds recommendations based on a user’s currently playing track ...Your idea here! What workflows could you make? Explore the Spotify API reference

38. Continue Learning APIs as a Student Expert Student Expert certification

    indicates that you are proficient in the essential skills involved in building and testing API requests in Postman, including: Sending more sophisticated requests in Postman. Editing documentation for a collection. Writing basic test scripts. Running collections, passing data between requests, and scripting request execution order. Have the option to become a Student Leader in your community

39. Postman Student Expert Apply here: https://bit.ly/postman-student-program

40. Q&A