AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
Back To Schedule
Wednesday, July 4 • 8:00am - 5:00pm
1-Day Training: Access Control for Rest API's LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

REST services are very popular. Unfortunately, many are not secure.
The rise of REST services has been accompanied with the emergence of new standards and components for access control. This 1 day tutorial provides a hands-on overview of available building blocks and shows how these work together.
We argue that REST APIs are best protected by a self-contained JWT (JSON Web Token) issued by a central authorization server. OAuth and OpenID Connect (OIDC) are standards for obtaining security tokens widely supported by both authorization servers and client libraries. The former provide a means for an end user to delegate access privileges to partially trusted clients, the latter adds a simple layer on top of OAuth for disclosing identity information. JWT, OAuth and OIDC are shown in action and participants are invited to use them to protect simple APIs.

Target audience:
Developers of REST API producers and consumers. Consumer-side we will be covering mobile apps, traditional back-end web apps and Single Page Applications.

Training outline:
  • JWT - presentation
  • Overview of OAuth flows - presentation
  • OAuth Client Credentials and Resource Owner Credentials Grant - hands-on
  • Overview of OIDC flows with a link to the OAuth flows - presentation
  • Development of Single Page Application with OIDC Implicit Flow - hands-on
  • Security token validation - presentation
  • Development of an access controlled REST service - hands-on
  • Integrating back- and front-end - presentation
  • Integrating back- and front-end - hands-on

avatar for Michael Boeynaems

Michael Boeynaems

Security Architect, Independent
I have a strong interest in cyber security matters, ranging from high-level architectural challenges to technical implementations. As an independent privacy & cyber security expert, I have the chance to prepare organizations end-to-end for future threats that are approaching quickly... Read More →
avatar for Johan  Peeters

Johan Peeters

security architect, independent
I currently mainly work on access control for REST APIs, but I am also interested in identity and access management, security operations center architecture and cloud security.Apart from my commercial consulting and bespoke development activities, I also teach software security at... Read More →

Wednesday July 4, 2018 8:00am - 5:00pm BST
Wordsworth- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE