API Access Control Workshop

Master access control for API's

This is an opinionated workshop on how to design and implement access control for APIs.

API keys are an easy and commonly used technique. However, the security guarantees afforded are very limited. JSON Web Tokens (JWT) are much more granular and need not rely on shared keys.

Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed. In this course, we implement the latter on AWS Lambda while AWS API Gateway is configured to serve as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture.

We set up an AWS Cognito User Pool to issue JWTs that afford access to our APIs and implement a Single Page Application (SPA) in React that obtains those JWTs from the authorization server via OAuth and OpenID Connect protocols. Alternative grants and flows are compared and we discuss when to use which.

Good security does not detract from the User eXperience (UX). Hence we discuss techniques to make access control (almost) invisible to the user.

The workshop combines live coding by the instructor and hands-on work from participants. At the end of the workshop, all participants should master how to set up an authorization server, protect serverless APIs and how to call them from a rich client.

Why Attend

Attend this workshop if you want to:

Understand threats to APIs
Design access control measures
Appreciate the extent and limitations of OAuth 2.0 and OpenID Connect
Understand security token validation steps to be taken
Choose an appropriate protocol to obtain security tokens

Who Should Attend

This hands-on, practical workshop is aimed at Developers, Architects, Testers and Technical Leaders.

Practical Details

Language: English
Experiential, hands-on, interactive online learning with practical examples
Participants will be awarded a Mozaic Works certificate of completion

This Learning Program is Available on Demand

Agenda

Protecting APIs

API keys
JWTs

Clients

Sharing API keys
OAuth 2.0
OpenID Connect

Authorization Servers

Architectural considerations

These concepts are taught using concrete implementations. For this course, the following technology stack will be used:

Resource server: AWS API Gateway and Lambda
Authorization server: AWS Cognito
Client: React

More details and full agenda here

Prerequisites

Participants should be familiar with REST API concepts
They should have access to an AWS account. All the exercises in the workshop can be done within the Amazon free tier
Participants should bring a laptop to this session running a REST client such as Postman or HTTPie
The laptop should also have Node.js version 8 installed, including editor or IDE
Participants should have notions of JavaScript. Knowledge of React is a bonus, but not essential
A barebones JavaScript client including a development server is provided (https://github.com/JohanPeeters/rest-client-tutorial) as a starting point. Participants are encouraged to clone and install this project before the workshop

Meet Your Trainers

Johan Peeters

Independent Software Architect

Johan is an independent software architect with a special interest in security. In 2004 he was so appalled at the poor security he encountered in his daily practice, that he turned to friends and colleagues in industry and universities to run a week-long course on developing secure software applications. Hence the first SecAppDev course took place in February 2005 and the partnership that formed between faculty members of KU Leuven, Solvay Brussels School of Economics and Management and professional software developers grew into a non-profit organisation offering an annual internationally acclaimed course.

More about Johan Peeters >