Overcoming Access Control in Web APIs

Explore strategies for securing and managing access to web APIs in this EuroPython 2020 conference talk. Learn about token-based authentication, scoping for access levels, and implementing JWT strategies for both third-party integrations and single-page applications. Discover best practices for storing JWTs in browsers and controlling access privileges using structured scopes. Gain insights into various authentication methods, including cookies, headers, and session-based requests. Understand the challenges of securing APIs for both direct and browser-based access, and explore solutions using JSON Web Tokens. Apply these concepts to any web API framework, with a focus on implementation using the Sanic async web framework.

Intro
Welcome
Authentication
Endpoint
Protect endpoint
Protect decorator
Middleware
Authentication Failure
What we want
Determining authentication
Cookies headers
Intersession tickets
Session based requests
Nonsession based requests
Sessionbased requests
Strategy
Direct or Browser API
Why do we want to know
The problems with browsers
How is this typically handled
Recap
What if our API has to do both
What is a JSON
How to handle JSON
Python code
Solution
Structured scopes
Check mark
Cookies
API endpoints
Questions