This is an opinionated workshop on how to design and implement access control for APIs.
API keys are an easy and commonly used technique. However, the security guarantees afforded are very limited. JSON Web Tokens (JWT) are much more granular and need not rely on shared keys.
Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed. In this course, we implement the latter on AWS Lambda while AWS API Gateway is configured to serve as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture.
We set up an AWS Cognito User Pool to issue JWTs that afford access to our APIs and implement a Single Page Application (SPA) in React that obtains those JWTs from the authorization server via OAuth and OpenID Connect protocols. Alternative grants and flows are compared and we discuss when to use which.
Good security does not detract from the User eXperience (UX). Hence we discuss techniques to make access control (almost) invisible to the user.
The workshop combines live coding by the instructor and hands-on work from participants. At the end of the workshop, all participants should master how to set up an authorization server, protect serverless APIs and how to call them from a rich client.