API Access Control Workshop

Master access control for API's

This is an opinionated workshop on how to design and implement access control for APIs.

API keys are an easy and commonly used technique. However, the security guarantees afforded are very limited. JSON Web Tokens (JWT)  are much more granular and need not rely on shared keys.

Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed. In this course, we implement the latter on AWS Lambda while AWS API Gateway is configured to serve as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture.

We set up an AWS Cognito User Pool to issue JWTs that afford access to our APIs and implement a Single Page Application (SPA) in React that obtains those JWTs from the authorization server via OAuth and OpenID Connect protocols. Alternative grants and flows are compared and we discuss when to use which.

Good security does not detract from the User eXperience (UX). Hence we discuss techniques to make access control (almost) invisible to the user.

The workshop combines live coding by the instructor and hands-on work from participants. At the end of the workshop, all participants should master how to set up an authorization server, protect serverless APIs and how to call them from a rich client.

Why Attend

Attend this workshop if you want to:

  • Understand threats to APIs
  • Design access control measures
  • Appreciate the extent and limitations of OAuth 2.0 and OpenID Connect
  • Understand security token validation steps to be taken
  • Choose an appropriate protocol to obtain security tokens

Who Should Attend

This hands-on, practical workshop is aimed at Developers, Architects, Testers and Technical Leaders.

Practical Details

  • Language: English
  • Experiential, hands-on, interactive online learning with practical examples
  • Participants will be awarded a Mozaic Works certificate of completion

This Learning Program is Available on Demand

    Agenda

    Protecting APIs

    • API keys
    • JWTs

    Clients

    • Sharing API keys
    • OAuth 2.0
    • OpenID Connect

    Authorization Servers

    Architectural considerations

    These concepts are taught using concrete implementations. For this course, the following technology stack will be used:

    • Resource server: AWS API Gateway and Lambda
    • Authorization server: AWS Cognito
    • Client: React

    More details and full agenda here

    Prerequisites

    • Participants should be familiar with REST API concepts
    • They should have access to an AWS account. All the exercises in the workshop can be done within the Amazon free tier
    • Participants should bring a laptop to this session running a REST client such as Postman or HTTPie
    • The laptop should also have Node.js version 8 installed, including editor or IDE
    • Participants should have notions of JavaScript. Knowledge of React is a bonus, but not essential
    • A barebones JavaScript client including a development server is provided (https://github.com/JohanPeeters/rest-client-tutorial) as a starting point. Participants are encouraged to clone and install this project before the workshop

    Meet Your Trainers

    Johan Peeters

    Independent Software Architect

    Johan is an independent software architect with a special interest in security. In 2004 he was so appalled at the poor security he encountered in his daily practice, that he turned to friends and colleagues in industry and universities to run a week-long course on developing secure software applications. Hence the first SecAppDev course took place in February 2005 and the partnership that formed between faculty members of KU Leuven, Solvay Brussels School of Economics and Management and professional software developers grew into a non-profit organisation offering an annual internationally acclaimed course.

    More about Johan Peeters >
    0
      0
      Your Cart
      Your cart is empty
        Apply Coupon
        Unavailable Coupons
        aniscppeurope2022 Get 20.00 off
        Scroll to Top