1
00:00:00,960 --> 00:00:04,620
-: So we talked a lot about authorization, authentication

2
00:00:04,620 --> 00:00:07,890
OAuth2, JWT tokens, et cetera.

3
00:00:07,890 --> 00:00:09,750
But our course is not

4
00:00:09,750 --> 00:00:13,470
about authentication and authorization, but about REST API.

5
00:00:13,470 --> 00:00:16,953
So, where does the REST API fits in this flow?

6
00:00:17,850 --> 00:00:22,080
So do you remember this step of sending the access token?

7
00:00:22,080 --> 00:00:25,020
So the client app is sending the access token,

8
00:00:25,020 --> 00:00:29,730
which now we already know is an actual a JW thing.

9
00:00:29,730 --> 00:00:33,510
So it sends the token to the resource server,

10
00:00:33,510 --> 00:00:36,690
and the resource server checks the signature

11
00:00:36,690 --> 00:00:38,553
and reads the payload.

12
00:00:39,420 --> 00:00:43,170
So what does REST API has to do with JWT?

13
00:00:43,170 --> 00:00:46,110
The JWT should be sent

14
00:00:46,110 --> 00:00:51,000
to the API using the authorization bearer header

15
00:00:51,000 --> 00:00:56,000
and this is where the JWT fits into the REST API.

16
00:00:56,040 --> 00:00:59,820
So when accessing an API of a resource server

17
00:00:59,820 --> 00:01:03,990
that needs JWT in order to make authorization decisions

18
00:01:03,990 --> 00:01:05,970
then the API should include

19
00:01:05,970 --> 00:01:10,830
an authorization bearer header containing the JWT.

20
00:01:10,830 --> 00:01:15,600
Now actually, the JWT can also be sent in the body

21
00:01:15,600 --> 00:01:17,370
or as a request parameter,

22
00:01:17,370 --> 00:01:19,860
but it is not recommended.

23
00:01:19,860 --> 00:01:23,550
So, as an example, if we want to send JWT

24
00:01:23,550 --> 00:01:26,070
to the code using the REST API,

25
00:01:26,070 --> 00:01:29,220
then our API should look like this.

26
00:01:29,220 --> 00:01:31,893
So you see here is the URL in this case GET,

27
00:01:32,790 --> 00:01:37,790
and the host header and the authorization bearer header.

28
00:01:37,890 --> 00:01:42,180
So you see here a header named authorization

29
00:01:42,180 --> 00:01:47,180
and after this server bearer, and then the JWT.

30
00:01:47,490 --> 00:01:50,820
Note that this screenshot containing only a partial JWT

31
00:01:50,820 --> 00:01:52,470
is not a full one.

32
00:01:52,470 --> 00:01:55,620
So, this is how authentication and authorization

33
00:01:55,620 --> 00:01:57,900
should be used with REST API.

34
00:01:57,900 --> 00:02:00,720
And again, the API itself does not perform

35
00:02:00,720 --> 00:02:03,510
the actual authentication and authorization.

36
00:02:03,510 --> 00:02:07,920
It's only a transfer mechanism of the data required

37
00:02:07,920 --> 00:02:11,703
for the authorization and authentication to the actual code.