Dave Westerveld introduces you to some of the high-level considerations in API security and helps you to understand the distinction between authorization and authentication.
- [Instructor] One of the more difficult parts of working with an API is security. Since APIs can be used programmatically, they can be attacked in many different ways. We need to be careful in designing them. And so there's a lot of thought and effort that goes into making sure that they're secure. This is good, but sometimes it can make it a little more difficult to work with APIs that need authentication. There's a number of different protocols that can be used to secure an API, and we'll get to them a bit more in future videos. But I want to start with understanding the difference between authorization and authentication.
So in security you hear these two terms, and it's sometimes hard to distinguish exactly what they are. But it's good for us to understand the difference between them. So in essence, authentication is about verifying who you are, and authorization is about verifying what you can do. Now, that sounds pretty abstract and it's hard to get your mind around. So let's think this through will a real-life example. Let's say you're at a restaurant and you want to order an alcoholic beverage. They ask to see your ID. Your ID allows them to both authenticate and authorize you.
They can authenticate that you are who you say you are by matching up the picture on your ID. And they can verify that you are indeed using the proper ID, and they can also authorize you. By looking at your birthdate, they can figure out how old you are and see if you're old enough to be served alcohol. So let's summarize this. Authentication is are you who you say you are? And this is an example of matching up the picture and the name on an ID. So are you Dave Westerveld? Your ID has a picture and a name that allows them to authenticate that you are who you say you are.
And then the second aspect of it is authorization. Are you allowed to do what you're asking to do? So this is looking at your ID and seeing the date of birth and saying, are you old enough to be served alcohol? Are you authorized to have this happen? Now, much the same as with your ID, in API security we usually combine the authorization and the authentication together. And so you only need to give one token, or one ID badge if we think of it as a ID, that can be used to validate both your authentication and your authorization in one step.
So we'll dig into some more ways on how to do this in the next few videos, but hopefully this helps to make those grounding concepts a little more clear for you for now.
- Reviewing API terminology
- Mitigating risks related to testing APIs
- Mapping out the layout of an API
- API authorization and authentication
- Finding and using bearer tokens
- Testing GET, POST, PUT, and DELETE calls
- Using mocks, stubs, and fakes in API testing
- Testing microservices and the Internet of Things