Using APIs

Using 3rd party services

• Getting access
• Making requests
• Web Hooks

Open APIs

• Data is publicly available
• No authentication or authorization needed
• Example: GitHub's Public API

Protected APIs

• Must register (pay) to access data
• No end-user login or data available
• Example: Numbeo, Google Maps (basic)

User resource APIs

• Must register your application with provider
• End-user login and data is available through scopes
• Example: Google, Facebook, Spotify, etc

OAuth 2

• Authentication
• Authorization
• No user password sharing
• Users can revoke access

OAuth 2 concepts

• Users, Client, Provider
• App Id, App Secret & Redirect Uri
• User Id, User Tokens & Scopes

OAuth 2: Register your Application

1. Create a developer account with a provider
2. Submit an application name and callback url
3. Receive application id and secret

OAuth 2: Register your Application

OAuth 2: Authorization Workflow

1. App sends the provider its app id and callback url
2. Provider redirects user to login & grant access
3. Provider redirects back to your application with access-token

OAuth 2: Workflow Illustrated

OAuth 2: Authorization Workflow

OAuth 2: Making requests

• Request user resources with access-token
• Be careful for quotas & rate limits
• Access-token MUST be kept securely

OAuth 2: Making requests

Security concerns using/exposing APIs

• injection
• phishing
• request forgery
• denial of service
• sensitive data leak

Links:

• Introduction to OAuth 2 (Digital Ocean)
• OAuth 2 workflow (short youtube)

Course Schedule: