Steps to building authentication and authorization for RESTful APIs
Skilled Software Developer with 3+ years of experience in the full SDLC creating dynamic web applications. Updates functionality based on customer requirements to ensure excellent user experience.
Authentication & Authorization
One of the challenges to building any RESTful API is having a well thought out authentication and authorization strategy. Cross cutting concerns like authentication, security, and logging are always challenging and involves many stakeholders.
Authentication : Involves verifying who the person says he/she is. This may involve checking a username/password or checking that a token is signed and not expired. Authentication does not say this person can access a particular resource.
Authorization : Involves checking resources that the user is authorized to access or modify via defined roles or claims. For example, the authenticated user is authorized for read access to a database but not allowed to modify it. The same can be applied to your API. Maybe most users can access certain resources or endpoints, but special admin users have privileged access.
you can get away with just two endpoints (and one header!). Make sure the API for /documents is returning the Vary: Authorization header. Then you can use
GET /api/documents // return all docs the logged-in user can see
GET /api/documents?userId=bob // return all of bob's docs that the logged-in user can see
GET /api/documents/123 // return doc 123 if the logged-in user can see it
Defining the actual One of the first things to give thought to when creating an auth strategy is what type of token you will use. There are a variety of methods, but two of the most common are:
- JWT
- Opaque
Will discuss in next Article. Thanks for your patience.
