1
00:00:00,300 --> 00:00:01,890
Memi: So, our next topic

2
00:00:01,890 --> 00:00:04,830
is authentication and authorization.

3
00:00:04,830 --> 00:00:08,433
So, what exactly are those two and why do we need them?

4
00:00:10,050 --> 00:00:11,580
When developing API,

5
00:00:11,580 --> 00:00:15,990
many times our API will not always be publicly accessible,

6
00:00:15,990 --> 00:00:18,600
and we wouldn't want anyone with a computer

7
00:00:18,600 --> 00:00:21,720
and an Internet connection will be able to access it.

8
00:00:21,720 --> 00:00:25,530
We would like that only authorized users may access it,

9
00:00:25,530 --> 00:00:27,630
and other users should be asked

10
00:00:27,630 --> 00:00:32,189
for some kind of identification and may be denied access.

11
00:00:32,189 --> 00:00:33,900
Now, to make that happen

12
00:00:33,900 --> 00:00:37,263
we need to have authentication and authorization.

13
00:00:38,430 --> 00:00:41,220
Authentication is the process

14
00:00:41,220 --> 00:00:43,920
where the system identifies the user.

15
00:00:43,920 --> 00:00:46,910
So, we now know who is the user.

16
00:00:46,910 --> 00:00:51,000
And authorization is the process of figuring out

17
00:00:51,000 --> 00:00:53,730
what is the user allowed to do.

18
00:00:53,730 --> 00:00:56,130
So, note the difference between the two.

19
00:00:56,130 --> 00:00:58,032
One tells us who is the user

20
00:00:58,032 --> 00:01:02,310
and the other one what is the user allowed to do.

21
00:01:02,310 --> 00:01:05,459
Now, when talking about authentication and authorization,

22
00:01:05,459 --> 00:01:07,830
it's important to understand where exactly

23
00:01:07,830 --> 00:01:10,230
does the API fits in.

24
00:01:10,230 --> 00:01:12,750
So, here is the authentication flow.

25
00:01:12,750 --> 00:01:17,750
We have the code exposing an API and we have the user.

26
00:01:18,300 --> 00:01:20,970
The user calls the API

27
00:01:20,970 --> 00:01:24,145
passing in the authentication and authorization data.

28
00:01:24,145 --> 00:01:29,145
The API passes the data to the code

29
00:01:29,490 --> 00:01:34,470
and the code decides what to do exactly with this data.

30
00:01:34,470 --> 00:01:38,310
So, in the context of our course which is about API

31
00:01:38,310 --> 00:01:41,250
and not about authentication and authorization,

32
00:01:41,250 --> 00:01:43,680
the relevancy of the API to this discussion

33
00:01:43,680 --> 00:01:47,520
is that the API passes the data to the code.

34
00:01:47,520 --> 00:01:50,280
So, the API itself does not perform

35
00:01:50,280 --> 00:01:53,010
the authentication and authorization checks.

36
00:01:53,010 --> 00:01:56,580
So, how do we implement authentication and authorization?

37
00:01:56,580 --> 00:01:59,963
There are many mechanisms performing these checks.

38
00:01:59,963 --> 00:02:03,240
In this course, we will focus on a specific

39
00:02:03,240 --> 00:02:07,260
and very popular mechanism called OAuth 2.

40
00:02:07,260 --> 00:02:10,110
And in the next lecture we will understand exactly

41
00:02:10,110 --> 00:02:13,383
how OAuth 2 is working and how to implement it.