REST services are very popular. Unfortunately, many are not secure.
The rise of REST services has been accompanied with the emergence of new standards and components for access control. This 1 day tutorial provides a hands-on overview of available building blocks and shows how these work together.
We argue that REST APIs are best protected by a self-contained JWT (JSON Web Token) issued by a central authorization server. OAuth and OpenID Connect (OIDC) are standards for obtaining security tokens widely supported by both authorization servers and client libraries. The former provide a means for an end user to delegate access privileges to partially trusted clients, the latter adds a simple layer on top of OAuth for disclosing identity information. JWT, OAuth and OIDC are shown in action and participants are invited to use them to protect simple APIs.

Target audience:
Developers of REST API producers and consumers. Consumer-side we will be covering mobile apps, traditional back-end web apps and Single Page Applications.

Training outline:

• JWT - presentation
• Overview of OAuth flows - presentation
• OAuth Client Credentials and Resource Owner Credentials Grant - hands-on
• Overview of OIDC flows with a link to the OAuth flows - presentation
• Development of Single Page Application with OIDC Implicit Flow - hands-on
• Security token validation - presentation
• Development of an access controlled REST service - hands-on
• Integrating back- and front-end - presentation
• Integrating back- and front-end - hands-on