REST services are very popular. Unfortunately, many are not secure.
The rise of REST services has been accompanied by the emergence of new standards and components for access control. This workshop aims to provide a hands-on overview of available building blocks and show how they can be made to work together.
We argue that REST APIs are best protected with self-contained JWT (JSON Web Token) tokens issued by a central authorization server. OAuth and OpenID Connect (OIDC) are standards for obtaining security tokens widely supported by authorization servers and client libraries alike. The former provides a means for an end user to delegate access privileges to partially trusted clients, the latter adds a simple layer on top of OAuth for disclosing identity information. JWT, OAuth and OIDC are shown in action in demo’s and participants are invited to protect some simple APIs with them.
We will be live coding a secure REST API and React client. Participants are encouraged to follow along and try some of the things we demonstrate, so it is a good idea to bring a laptop to this session running a REST client such as Postman or HTTPie, Node 8 and a JavaScript editor or IDE. We will be using the Auth0 IDaaS platform, so registering for a free account would save time during the session.
Michael Boeynaems