Solution: Securing APIs

This exercise focuses on using Auth0 to define API security, collecting the access control parameters, modifying API source code, and then testing the results.

Defining API in Auth0

The exercise instructions included the name of the new API security definition (bigco-credit-check). To create this definition, we need to log in to the http://auth0.com website and navigate to the dashboard page. There, we can select the API’s options in the left navigation pane and, when the list of APIs appears, click the “Create API” button that appears in the top-right corner of the screen. This brings up the “New API” dialog box, where we can enter “bigco-credit-check” into the “Name” field. We also need to enter our API identifier (for example, http://api.mamund.com/bigco-credit-check). Once both values have been supplied, click the “Create” button at the bottom of the dialog box. This completes the definition and takes us to the new landing page for that API.

Collecting the API’s access control parameters

The next step is to collect the five important access control parameters (Name, Identifier, Client ID, Client Secret, and Domain) for our API. The Name and Identifier values are in the “Settings” tab of the API’s landing page. The other three values (Client ID, Client Secret, and Domain) are on the API’s application page. We can find this page by clicking the “Applications” option in the left navigation pane of the dashboard and then selecting the “bigco-credit-check application” from that list. When we select it, we’ll be taken to the landing page where the Client ID, Client Secret, and Domain are displayed.

We need to collect all five values and write them into the proper spots in the auth0.env file. That file looks something like this: