
API Design in Node.js, v3 Authentication in APIs Overview
This course has been updated! We now recommend you take the API Design in Node.js, v4 course.
Transcript from the "Authentication in APIs Overview" Lesson
[00:00:04]
>> Scott Moss: All righty, so what good would API be if we couldn't lock it down? So that's what we're gonna talk about. We're gonna talk about authentication with json web tokens or JWTs or jots, whatever people want to call them. Anybody ever heard of those before, JWT? Anyone ever used them?
[00:00:23] Okay, there we go, that's good to know. All right, yeah, so Auth basics.
>> Speaker 2: I set them up, but I don't actually use them.
>> Scott Moss: [LAUGH] But you set them up, and that's the most important part. That's harder than using them. Auth basics. Basically you can never truly protect an API.
[00:00:42] I mean you just really can't. There just really isn't a way. But requiring authentication makes it a bit safer. So yes, you can lock down an API with JWTs or something like that. But at the end of the day, people are gonna find a way to get to it anyway.
[00:01:02] There's nothing, cuz your vulnerability are gonna be your users. They're always gonna be vulnerable, so people can get to the API through them. So there really is no way you can lock it down because a person has to use it eventually. Or an application that you're using, their application is insecure.
[00:01:17] So either way, your application is just gonna be hacked by somebody if it wants to be. So there really isn't a safe way, but you can just make it harder for them, and that's what authentication is gonna do. So authentication is controlling if an incoming request can proceed or not, that's basically it.
[00:01:32] Can this request go forward and do what it's trying to do? That's authentication at its finest. At least in the context of what we're gonna be doing. Authorization is controlling if an authenticated request has the correct permissions to access a resource. So after you even authenticate it, we need to see if you're authorized to do what you're asking to do.
[00:01:52] Are you authorized to delete work spaces, are you authorized to change their credit card information, although you are authenticated? So that's the difference. So that's like you're using like some type of roles or something like that. That's like authorization. Identification is basically, who is this requester? What user is it, what application is it?
[00:02:13] I need to identify what, who this request is. So, those are the three different things when people, when I hear people say about authentication, they're really talking about all three of those. They're just summarizing it with the word Auth. So, that's basically what it is. What we're going to be doing is, yeah, basically all three of them.
[00:02:32] But we're gonna let JWTs do it for us and you'll see how.