Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Authentication and Authorization in APIs

Authentication and Authorization in APIs

In this workshop, I will be sharing about authentication and authorization in APIs. I will briefly explain the difference between authentication and authorization, and provide real-world examples. I will also share what Postman is and what a workflow in Postman is. Postman will be the tool we will be using for our demo.

We will then have a look at the different authentication and authorization methods used in APIs. My focus will be on using OAuth 2.0. I will then share what the Auth Dance is and how it works under the hood. You will get to understand why it is the preferred authentication and authorization method for many APIs.

Finally, we will use Postman to build a demo which will be a Spotify Song Recommender Workflow that recommends a couple of songs based on the first song you give it.

This workshop was part of a Women Tech Makers End-of-Year Workshop event for the WTM Nairobi chapter.

Event Link: https://gdg.community.dev/events/details/google-gdg-nairobi-presents-wtm-nairobi-end-year-workshop/

Clifford Ouma

December 17, 2022
Tweet

More Decks by Clifford Ouma

Other Decks in Programming

Transcript

  1. Mission You've been hired by a professional music blogger to

    create a workflow that helps them discover new music. You'll use the Spotify Web API to let the blogger search for songs they like and find similar music!
  2. What you will learn go.postman.co/build Making API requests with Auth

    Calling a real-world REST API Chaining multiple API calls to build a workflow Visualizing response data
  3. Introducing: Workflows Authentication and Authorization Workflows are a chain of

    requests that execute in a particular order. Requests are dependent on one another
  4. Introducing: Workflows Authentication and Authorization Workflows are a chain of

    requests that execute in a particular order. Requests are dependent on one another Can be executed in different sequences
  5. Introducing: Auth Authentication and Authorization Authentication = verifying identity Authorization

    = granting permissions Both are the first line of defense for the API
  6. Authentication vs Authorization Authentication identifies that you are who you

    say you are. E.g Twitter verification Authorization verifies what permissions you have. E.g Restricted areas
  7. Basic Auth Simplest form of auth Uses email and password

    to verify users You have to trust the API hashes your password Requires using HTTPS connection for security
  8. API Keys Your invitation to use the API API keys

    are alphanumeric strings that provide basic access to the API’s services and data. Provided by API upon signup Allow developers to impose rate limits and revoke access in a ToS violation. a4db08b7-5729-4ba9-8c08-f2df493465a1
  9. OAuth(Open Authorization) OAuth gets access to protected data Sophisticated and

    uses tokens and ID to authorize. But access is scoped There are 2 versions: OAuth1 OAuth2.0
  10. Key has limited access to the car You give valet

    the key Takeaways from the valet scenario
  11. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request “Can I view your Google contacts?” 2. Authorization Grant Code “OK!” Authorization server Resource server Authorization code grant type
  12. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request 2. Authorization Grant Code 3. Authorization Grant Code Authorization server Resource server “Please give me an access token” 4. Access Token “Here you go” Authorization code grant type
  13. Do the OAuth Dance 🕺🏽 Resource owner (User) Client (Application

    ) 1. Authorization Request 2. Authorization Grant Code 3. Authorization Grant Code Authorization server Resource server 4. Access Token 4. Protected Resource 5. Access Token “Please give me the user’s contacts” “Here you go” Authorization code grant type
  14. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret
  15. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public
  16. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps)
  17. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps) Client Credentials Server-to- server For application-to-application communications when a user is not present in the workflow and the client must authenticate itself
  18. Do the OAuth Dance 🕺🏽 Grant types Grant Type Optimization

    When to Use Authorization Code Server + Web/Mobile For apps involving a backend (server) that can hide a client secret Authorization Code with PKCE Web, Mobile Single-Page apps and native apps, where client secret cannot be hidden from public Password 1st Party Apps For security reasons, this should only be used with apps made by the service itself (1st party apps) Client Credentials Server-to- server For application-to-application communications when a user is not present in the workflow and the client must authenticate itself Implicit Legacy Now prefer use of Authorization Code with PKCE for frontend-only apps.
  19. Do the OAuth Dance (in Postman) Enter grant type and

    credentials Get access token Postman simplifies this process 1. 2.
  20. What does this have to do with workflows? Almost every

    API you come in contact with will have some form of authentication and/or authorization. This information is imperative to creating today’s workflow (and any other workflows or applications you create!)
  21. What we’re gonna do Spotify Song Recommendation Workflow The Spotify

    API OAuth 2 Postman You've been hired by a busy music blogger to create a workflow that helps them discover new music. You'll use the Spotify Web API to let the blogger search for songs they like and find similar music! In this exercise we will be using:
  22. Your turn! Fork this collection Follow the instructions in “your

    turn!” The blogger wants more accurate song recommendations based on artists they like! Build a workflow that allows the blogger to enter three artists to generate 5 song recommendations Getting started 1. 2.
  23. Going further Create a playlist of an authenticated user’s most-played

    songs Create a playlist of songs with no words (for studying!) Finds recommendations based on a user’s currently playing track ...Your idea here! What workflows could you make? Explore the Spotify API reference
  24. Continue Learning APIs as a Student Expert Student Expert certification

    indicates that you are proficient in the essential skills involved in building and testing API requests in Postman, including: Sending more sophisticated requests in Postman. Editing documentation for a collection. Writing basic test scripts. Running collections, passing data between requests, and scripting request execution order. Have the option to become a Student Leader in your community
  25. Q&A