REST services are very popular. Unfortunately, many are not secure.
The rise of REST services has been accompanied by the emergence of new standards and components for access control. This workshop aims to provide a hands-on overview of available building blocks and show how they can be made to work together.
We argue that REST APIs are best protected with self-contained JWT (JSON Web Token) tokens issued by a central authorization server. OAuth and OpenID Connect (OIDC) are standards for obtaining security tokens widely supported by authorization servers and client libraries alike. The former provides a means for an end user to delegate access privileges to partially trusted clients, the latter adds a simple layer on top of OAuth for disclosing identity information. JWT, OAuth and OIDC are shown in action in demo’s and participants are invited to protect some simple APIs with them.